THE EMBEDDED FRONTIER PODCAST Episode #005 – The Risk of Zero-Day Attacks in Open Source Software with Frank Huerta

Want to watch this episode instead? Check it out on our YouTube channel here!

Summary

In this episode, Jacob Beningo interviews Frank Herta, the CEO of Curtail Incorporated, about the risks of zero-day attacks in open-source software. They discuss the importance of DevSecOps and the need for comprehensive security measures. Frank shares his background in security and how his company is working on detecting zero-day bugs. They also explore the vulnerabilities of open-source software and the potential for third-party supply chain attacks. Open source software testing differs from proprietary software testing in terms of who is responsible for testing. Open-source projects have their own testing processes, but it’s important for software developers to test the open-source software in the context of their own applications. DevSecOps is a cultural shift that aims to integrate security and testing throughout the software development process. It involves early testing, collaboration between teams, and a focus on security from the beginning. The nature of threats in open-source software is changing, with third-party attacks on repositories becoming a major concern. Complacency and slow response times are also issues that need to be addressed. Developers and managers using open-source software should follow security best practices, stay updated on vulnerabilities, and actively test their software. Curtail is working on innovative solutions to analyze and compare different open-source packages for better security.

Takeaways

• Open-source software is prevalent in the industry, with 70-90% of software being open-source-based.
• Companies and their customers are at risk of zero-day attacks due to the widespread use of open-source software.
• Historical examples like Heartbleed and Apache Struts have demonstrated the vulnerabilities of open-source software.
• DevSecOps is crucial for integrating security measures throughout the software development lifecycle.
• Comprehensive testing, documentation, and active involvement in open-source communities can help mitigate security risks.
• Comparing different versions of open-source software and monitoring network behavior can help detect changes and potential vulnerabilities.
• Open source software should be tested in the context of the specific application it will be used in.
• DevSecOps is a cultural shift that integrates security and testing throughout the software development process.
• Third-party attacks on open-source repositories are a growing concern.
• Complacency and slow response times can lead to security vulnerabilities.
• Developers and managers should follow security best practices and actively test their software.
• Curtail is working on innovative solutions to analyze and compare different open-source packages for better security.

Chapters

00:00 – Introduction to Embedded Frontier Podcast
01:25 – Interview with Frank Herta, CEO of Curtail Incorporated
23:10 – Vulnerabilities and Historical Examples of Open Source Software
25:08 – Comprehensive Security Measures for Open Source Software
26:37 – Detecting Zero-Day Bugs and Monitoring Network Behavior
29:17 – Mitigating Security Risks through Testing and Active Involvement
31:04 – The Cultural Shift of DevSecOps
42:12 – Changing Nature of Threats
47:55 – Avoiding Complacency and Improving Response Times
48:53 – Best Practices for Using Open-Source Software
50:18 – Innovative Solutions from Curtail