The MariaDB Foundation and security - Finding and fixing vulnerabilities



1. MariaDB Foundation Security Finding and fixing vulnerabilities Teodor Mircea Ionita Security @ MariaDB Foundation * © 2018 MariaDB Foundaton *

2. Why? When How ■ One of the world's most popular piece of server software ■ Part of critical infrastructure world wide ■ We cannot trust any piece of software to be inherently secure ■ We know security is crucially important for our users and take it very serious © 2018 MariaDB Foundaton

3. Why? When How We believe a healthy software project must have: 1. vulnerability disclosure policy 2. vulnerability management procedure 3. make it enticing for researchers to report to you directly 4. eagerness to collaborate with the security community 5. commit to handle reports timely, transparently and eagerly 6. pro-actively look for security bugs in their own code base © 2018 MariaDB Foundaton

4. Why When? How “The best time to plant a tree was 20 years ago. The second best time is now.” – Chinese proverb © 2018 MariaDB Foundaton

5. Why When How? Software security is best handled in two layers: 1. Policy (reactive measures) ○ States our vision (openness, responsible disclosure, timely resolution) ○ Defines guidelines for vulnerability reporting, handling and disclosure ○ Enforces our vision and ensures procedure is followed 2. Practice (proactive measures) ○ Incentives (make it easy to discover and report to us, public acknowledgment and bug bounties) ○ Feedback loop (run checks on GitHub PRs, look for same class vulns, encourage researchers to get involved in the entire vulnerability lifecycle) ○ Integrate standard security checks and testing into our Continuous Integration pipelines © 2018 MariaDB Foundaton

6. 1. Policy Traditionally, defines reactive measures.. We think it’s crucial to centralize and focus security efforts: ■ Define a vulnerability disclosure policy that we can promote and abide by; ISO/EIC 29147 and ■ Define a vulnerability handling and resolution policy that we can assume and follow; ISO/EIC 30111 ■ Evaluate Foundation assets and layout; We are interested in vulnerabilities in server code, as well as our infrastructure ■ Vulnerability classification: scoping/eligibility per asset and severity simplification © 2018 MariaDB Foundaton

7. 2. Practice ■ Improve visibility and availability: ○ security page: ○ security email list: ○ security section in dotfiles: server/ ○ website security contact: ■ Provide incentives: ○ bounties ○ public acknowledgment ○ involvement in the transparent resolution process © 2018 MariaDB Foundaton

8. HackerOne and bug bounties ■ bug bounty platform ■ 1000+ programs ■ 200K+ hackers ■ 72K+ valid vulnerabilities submitted ■ $30M+ bounty paid ■ security issue tracker ■ reputation and recognition platform (for hackers) ■ transparency and commitment tool (for companies and organizations) * stats from: The Hacker Powered Security Report 2018.pdf 2018 Hacker Report.pdf © 2018 MariaDB Foundaton

9.HackerOne Live Demo © 2018 MariaDB Foundaton

10. HackerOne takeaways ➢ Keep traditional methods for reporting security vulnerabilities; some hackers do not have time to register, read and abide to policies, etc.. ➢ Make sure you have bandwidth for handling the initial burst of reports ➢ Be very clear in defining the assets, scope and the vulnerabilities you’re interested in ➢ This is a commitment both on the researcher and your organization ➢ Feel free to use our template to bootstrap your program; there aren’t that many around for server side C++ programs © 2018 MariaDB Foundaton

11. Practice and beyond While policy establishes proper reactive procedure for handling security incidents, proactive measures help prevent security incidents in the first place. A couple things we’re planning to do going further: ● Static checks: lint, splint, clang-check/tidy, cppcheck, coverity ● Dynamic tests: *ASAN, valgrind, fuzzing New CI deployment at They will be part of the same tests that will enforce protected branches and staging/pr code quality. © 2018 MariaDB Foundaton

12.~ To us, thank you! ~ © 2016 MariaDB Foundaton

13. The MariaDB Foundation Supporting continuity and open collaboration Please support us to guarantee that our mission succeeds! © 2016 MariaDB Foundaton