The MariaDB Foundation and security - Finding and fixing vulnerabilities

MariaDB基金会已经开始了一项新的工作,以协调和查找MariaDB和MySQL的代码库中的安全漏洞。
在这次谈话中,MariaDB基金会的安全工作目前的活动,包括,例如,最近设计的负责披露政策和黑客一个bug赏金计划,以及未来的计划,连续和自动安全测试要烘焙到我们的合作。持续集成和测试管道。
作为世界上最受欢迎的服务器软件和关键基础设施的一部分,它承载着大量的数据库,至关重要的是它保持安全并在不出现安全问题的情况下运行。历史告诉我们,我们不能相信任何软件本身是安全的,因此任何项目都必须有适当的漏洞披露和管理程序,渴望与安全社区合作,遵守披露指南,并积极寻找安全漏洞。

展开查看详情

1. MariaDB Foundation Security Finding and fixing vulnerabilities Teodor Mircea Ionita Security @ MariaDB Foundation * © 2018 MariaDB Foundaton *

2. Why? When How ■ One of the world's most popular piece of server software ■ Part of critical infrastructure world wide ■ We cannot trust any piece of software to be inherently secure ■ We know security is crucially important for our users and take it very serious © 2018 MariaDB Foundaton

3. Why? When How We believe a healthy software project must have: 1. vulnerability disclosure policy 2. vulnerability management procedure 3. make it enticing for researchers to report to you directly 4. eagerness to collaborate with the security community 5. commit to handle reports timely, transparently and eagerly 6. pro-actively look for security bugs in their own code base © 2018 MariaDB Foundaton

4. Why When? How “The best time to plant a tree was 20 years ago. The second best time is now.” – Chinese proverb © 2018 MariaDB Foundaton

5. Why When How? Software security is best handled in two layers: 1. Policy (reactive measures) ○ States our vision (openness, responsible disclosure, timely resolution) ○ Defines guidelines for vulnerability reporting, handling and disclosure ○ Enforces our vision and ensures procedure is followed 2. Practice (proactive measures) ○ Incentives (make it easy to discover and report to us, public acknowledgment and bug bounties) ○ Feedback loop (run checks on GitHub PRs, look for same class vulns, encourage researchers to get involved in the entire vulnerability lifecycle) ○ Integrate standard security checks and testing into our Continuous Integration pipelines © 2018 MariaDB Foundaton

6. 1. Policy Traditionally, defines reactive measures.. We think it’s crucial to centralize and focus security efforts: ■ Define a vulnerability disclosure policy that we can promote and abide by; ISO/EIC 29147 and tools.ietf.org/..draft-christey-wysopal-vuln-disclosure ■ Define a vulnerability handling and resolution policy that we can assume and follow; ISO/EIC 30111 ■ Evaluate Foundation assets and layout; We are interested in vulnerabilities in server code, as well as our infrastructure ■ Vulnerability classification: scoping/eligibility per asset and severity simplification © 2018 MariaDB Foundaton

7. 2. Practice ■ Improve visibility and availability: ○ security page: https://mariadb.org/about/security-policy/ ○ security email list: security@mariadb.org ○ security section in dotfiles: server/README.md ○ website security contact: https://mariadb.org/security.txt ■ Provide incentives: ○ bounties ○ public acknowledgment ○ involvement in the transparent resolution process © 2018 MariaDB Foundaton

8. HackerOne and bug bounties ■ bug bounty platform ■ 1000+ programs ■ 200K+ hackers ■ 72K+ valid vulnerabilities submitted ■ $30M+ bounty paid ■ security issue tracker ■ reputation and recognition platform (for hackers) ■ transparency and commitment tool (for companies and organizations) * stats from: The Hacker Powered Security Report 2018.pdf 2018 Hacker Report.pdf © 2018 MariaDB Foundaton

9.HackerOne Live Demo © 2018 MariaDB Foundaton

10. HackerOne takeaways ➢ Keep traditional methods for reporting security vulnerabilities; some hackers do not have time to register, read and abide to policies, etc.. ➢ Make sure you have bandwidth for handling the initial burst of reports ➢ Be very clear in defining the assets, scope and the vulnerabilities you’re interested in ➢ This is a commitment both on the researcher and your organization ➢ Feel free to use our template to bootstrap your program; there aren’t that many around for server side C++ programs © 2018 MariaDB Foundaton

11. Practice and beyond While policy establishes proper reactive procedure for handling security incidents, proactive measures help prevent security incidents in the first place. A couple things we’re planning to do going further: ● Static checks: lint, splint, clang-check/tidy, cppcheck, coverity ● Dynamic tests: *ASAN, valgrind, fuzzing New CI deployment at buildbot.mariadb.org. They will be part of the same tests that will enforce protected branches and staging/pr code quality. © 2018 MariaDB Foundaton

12.~ To us, thank you! ~ teodor@mariadb.org security@mariadb.org © 2016 MariaDB Foundaton

13. The MariaDB Foundation Supporting continuity and open collaboration Please support us to guarantee that our mission succeeds! © 2016 MariaDB Foundaton