John Viega, CTO, Secure Software, Inc.
Date: Wednesday, July 28
Time: 10:45am - 12:20pm
Location: Salon I
The "many eyeballs" phenomenon isn't yet having a great impact on the security of open source software. Developers need to be proactive on security issues, instead of assuming someone else will do all the hard stuff.
To make matters worse, the popular security problems that every developer hears about -- such as buffer overflows and cross-site-scripting -- really only scratch the surface. Even the people who focus on these popular problems often don't have a broad view of what can go wrong, particularly when it comes to areas like cryptography. For example, there's a big misconception that SSL is a drop-in security solution. But it's far from it, and most of the SSL deployments in open source software have major risks.
In this session we talk about the major security risks OSS developers should know about, and look at ways of mitigating those risks. We'll focus on how to solve problems using other open source solutions, where appropriate.
Yes, we'll spend a bit of time looking at solutions for C and C++ programmers, including both library-level solutions and operational solutions. But we'll also focus on common problems that cross languages like Perl, Python, and PHP, and even look at secure design methodologies for architecting more secure software from the ground up.