Recent vulnerabilities like Heartbleed and Shellshock have brought the security practices and security track record of open-source projects into the spotlight. A project’s response to security issues can have a major impact on how much risk end users are exposed to and how the project is perceived in the technology industry.
In this talk, we will compare the security practices of key infrastructure projects such as Linux, Xen Project, Ceph, OVS, OpeNebula and others. We will explore the trade-offs of different security practices, such as community trust, competing stakeholder interests, fairness and media coverage of vulnerabilities.
Finally, we will explore the evolution of the Xen Project’s security process over the past 3 years as a case study. We will illustrate the trade-offs, pain points and unexpected issues we have experienced, to help other projects and their users understand the potential pit-falls in designing robust security processes.
Author Biography
Lars Kurth had his first contact with the open source community in 1997 when he worked on various parts of the ARM toolchain. This experience led Lars to become a passionate open source enthusiast who worked with and for many open source communities over the past 17 years. Lars contributed to projects such as GCC, Eclipse, Symbian and Xen and became the open source community manager for Xen.org in 2011 and later chairman of the Xen Project Advisory Board. Lars is an IT generalist with a wide range of skills in software development and methodology. He is experienced in leading and building engineering teams and communities, as well as constructing marketing, product management, and change programs impacting 1000s of users. He has 19 years of industry experience in the infrastructure, tools and mobile sectors working at ARM, Citrix, Nokia and the Symbian Foundation.