Open Source Security - A vendor's perspective
Talk details
This talk aims to let interested users in on the work of being a responsible vendor in the open source security world. It will have a particular focus on Plone, but will be applicable to anyone issuing public fixes for open source code.
Internal
Plone's processes for issuing hotfixes have evolved over the years. The first part of this talk will explain how we, the security team, go about preparing for a new hotfix. We'll explain the structure we use and the quality assurance steps we go through, as well as more general ideas on why we decided to start pre-announcing hotfixes and why we issue them at the time of week we do.
By the end of this section, you'll:
- Know how to make accurate bug reports on security vulnerabilities
- Be able to write and contribute draft hotfixes to the security team
- Understand the tradeoffs we make when releasing hotfixes
- Feel sorry for us
External
Most users won't be aware of the work that happens behind the scenes to communicate what is happening in Plone to downstream vendors, such as RedHat. I'll talk about some of the flaws in the reporting of security vulnerabilities online, and teach you about the industry standard terms that we use, so you can understand all security announcements more easily.
By the end of this section, you'll:
- Understand and evaluate the risks involved in not applying a particular fix
- Be able to make accurate comparisons of security issues in different open source projects
- Know how to report problems you find in add-on or 3rd party products in a way that the wider security community can understand
- Never trust a security database again
Speaker details
Matthew WilkesMatt splits his time between working as an independent Plone/Pyramid freelancer and as a director at The Code Distillery, where he works on security and performance for web applications. He is a member of the Zope and Plone security teams and a Plone Foundation board member.
