Building the FOSS security commons
Why Is There No Free and Open Software Vulnerability Database?
Philippe Ombredanne is a passionate FOSS hacker, lead maintainer of the ScanCode toolkit and on a mission to enable easier and safer to reuse FOSS code with best in class open source tools for open source discovery, software composition analysis and license & security compliance at https://aboutcode.org
Philippe contributes to several other projects including the Linux kernel SPDX-ification; the SPDX and ClearlyDefined projects, strace, several Python tools, and previously to JBoss, Eclipse and Mozilla. Philippe has been also a long time Google Summer of Code mentor and org admin.
Work-wise, he is the CTO of nexB a company that helps software teams track what's in their code with DejaCode, an open source governance and compliance dashboard.
Something is not right: databases of known FOSS software vulnerabilities are mostly proprietary and privately maintained. Why is there no free and open data solution alternative? After all this is all about FOSS code. Security data is too important to not be free.
"Using Components with Known Vulnerabilities" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structures and tools that are (1) designed primarily for proprietary software components and (2) incomplete and too dependent on voluntary submissions to the National Vulnerability Database sponsored by the US government.
With the explosion of FOSS usage we need a new approach to efficiently catalog and identify FOSS security vulnerabilities based on open data and FOSS tools.
Find how about the FOSS tools we have built to aggregate, relate together and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities.
Help us build the security commons and improve the security of software applications with open tools and data for everyone.
- Date:
- 2020 October 15 - 20:00
- Duration:
- 30 min
- Room:
- Room 1
- Language:
- Track:
- Quality Assurance
- Difficulty:
- Easy