Re: [SLUG] Security for Open Source Application

From: José Miguel Parrella Romero (bureado@debian.org)
Date: Tue Jun 30 2009 - 12:40:07 EDT


Pete Theisen escribió:
> Is security especially problematic in open source? I have personally
> only had one event to my website, but if the source code for a web
> application is out there, it seems that an attacker has an advantage.

Having the source code out there is not a security flaw per se. However,
if the developers (which might be an individual, a group of individuals,
a community or even a big company) lacks proper measures to respond to
any specific incidents that might arise from having their code open to
other's eyes, then there's a problem.

OTOH, if people believe and work on a peer-based review for open source
code out there, past events seem to support that FOSS code actually
becomes more secure in time.

> I am planning a Python application on the Dabo <http://dabodev.com/>
> framework, both are open source. The data on a web server will be of the
> type that is HIPAA protected so the security has to be pretty good. The
> people interested in stealing the data will be insurance companies so
> they will presumably have really good crackers working for them.

...

> On advice, I was thinking of requiring WPA for wireless users (or use
> hard wire) and using a SSL tunnel to the server. Also, I intend to keep
> the personal contact information separate from the case data.

Sometimes, most requirements for compliance can be achieved through an
integral, structural focus mainly involving securing transports and
separating and properly securing data. This is what you're pointing at
with this idea. I don't believe free and open source software to be
weaker from a security standpoint than closed source software, not even
in a compliance scenario.

If you really require wireless access to the system, then WPA2 and
RADIUS are sound options. Switching to wired-only doesn't increase
security unless you have physical security as per access prevention to
your wired network. Nowadays, even legitimate computers connected to a
wired network might be compromised and setup as a wireless access.

Regarding SSL, it's generally a good idea, as long as you check, trust
and block access upon identity mismatches. If both ends support
communicating using TLS/SSL, then you can use it already (go ahead and
buy certs or build your own CA) otherwise you can setup a VPN using SSL
or securing communications through SSL tunnels.

Of course, users should be required to access the system using only
SSL/TLS in their browsers. It's out there in most browsers - even in
mobile phones.

Your application should implement some level of security, which
trascends the fact it's open or closed source. You can compile hashes
for any messages between data sources and application logic to enforce
integrity checks, you can use a centralized LDAP server where all user
accounts can be held, configure access levels and disable/enable when
necessary. You can encrypt data in the databases, which will have an
impact on performance but won't let sysadmins access user's data.

HTH,
Jose
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:22:48 EDT