O'Reilly Open Source Convention
Books Safari Bookshelf Conferences O'Reilly Network

Arrow Home
Arrow Registration
Arrow Speakers
Arrow Keynotes
Arrow Tutorials
Arrow Sessions
Arrow At-a-Glance
Arrow Wiki
Arrow BOFs
Arrow Events
Arrow Exhibitors
Arrow Sponsors
Arrow Hotel/Travel
Arrow Venue Map
Arrow See & Do
Arrow Tips for
Arrow Press
Arrow Mail List



Building More Secure OSS (Using OSS)
John Viega, CTO, Secure Software, Inc.

Track: Security
Date: Wednesday, July 28
Time: 10:45am - 12:20pm
Location: Salon I


The "many eyeballs" phenomenon isn't yet having a great impact on the security of open source software. Developers need to be proactive on security issues, instead of assuming someone else will do all the hard stuff.

To make matters worse, the popular security problems that every developer hears about -- such as buffer overflows and cross-site-scripting -- really only scratch the surface. Even the people who focus on these popular problems often don't have a broad view of what can go wrong, particularly when it comes to areas like cryptography. For example, there's a big misconception that SSL is a drop-in security solution. But it's far from it, and most of the SSL deployments in open source software have major risks.

In this session we talk about the major security risks OSS developers should know about, and look at ways of mitigating those risks. We'll focus on how to solve problems using other open source solutions, where appropriate.

Yes, we'll spend a bit of time looking at solutions for C and C++ programmers, including both library-level solutions and operational solutions. But we'll also focus on common problems that cross languages like Perl, Python, and PHP, and even look at secure design methodologies for architecting more secure software from the ground up.

O'Reilly Home | Privacy Policy

© 2004, O'Reilly Media, Inc.