Success Stories in Open Source: Security Audits with OSTIF
Session Abstract
Improved security in open source is more than a theoretical goal but a plausible reality as shown by nonprofit Open Source Technology Improvement Fund, Inc. Following a best practice of independent code review with a process specifically tailored to open source projects and communities, OSTIF is turning funds into positive security outcomes.
Session Description
The speaker will talk about the importance of security audits and a process tailored to open source communities, and highlight numerous success stories in improving the security posture of open source projects. Examples include the audit of git, kubernetes, ruby on rails, and php-src. The topic is relevant to the audience because the evidence presented in the talk suggests that a real implementable solution to solve the security and technical debt of software projects is tenable. The main takeaways are as follows: (a)Security audits are an effective tool for helping improve the security posture of projects (b)Projects of all sizes, maturity levels, and complexities have benefited from additional security audit work and (c) OSTIF, as an independent nonprofit, is facilitating and executing security audits for critical open source projects at a high level of effectiveness. While many solutions to the security problems of open source are theoretical and require considerable effort, OSTIF has honed in on a process to help open source projects en masse with a well established best practice: independent expert security review.
