Third Annual Open Source Security Summit Recap
The third annual Open Source Security Summit shines a spotlight on the global community of cybersecurity and open source software experts with speakers ranging from Romania to Santa Barbara, California. This event brought together thought leaders, industry examples of open source security in action, and bustling commentary from participants all over the world!
The Open Source Security Summit provides a space for companies and individuals to discuss how utilizing open source technologies leads to stronger security and trust through transparency.
Highlights from this year included Kevin Mitnick, the world’s most famous hacker, Eva Galperin the director of cybersecurity at the Electronic Frontier Foundation (EFF), and one of the most popular security speakers and author, Mikko Hypponen.
To catch up on previous summits, you can watch many of the session recordings for 2020 and 2021 on the Bitwarden YouTube channel. Stay tuned to our channel for upcoming session recordings from the 2022 summit!
Kicking off the summit with his keynote address, Mikko Hypponen emphasized that most people don’t realize how ubiquitous open source technology is because it is running in the background of the tools they use on a regular basis. For example, the dashboard in your car, social media platforms like Facebook, search engines like Google, the Mars rovers, perhaps even your phone run on a Linux operating system. The internet eliminates borders, which enables companies and individuals to collaborate from across the world, said Mikko, echoing the sentiments Marten Mickos, CEO of HackerOne, shared in the inaugural year of this summit: “open source unleashes collaboration and innovation otherwise not possible.”
“The internet is the best and worst thing that has happened in our lifetime. But the upsides are much bigger than the downsides… we are living in the middle of the biggest technological revolution that mankind has ever seen.”
One significant downside, of course, is the rise of malware and cybercrime, a realm that has grown exponentially over the past few decades as we have brought more and more smart devices and applications into our homes, our work, and our communities.
“When a company doesn’t get hacked, that’s not a headline… rarely is anyone thanked for stopping a disaster that didn’t happen.”
Mikko’s book If It’s Smart, It’s Vulnerable goes into more detail on how our smart devices have introduced vulnerabilities into our day to day lives and “the transformative potential of the future of the internet.”
Eva Galperin is the director of cybersecurity at the Electronic Frontier Foundation (EFF), a digital liberties organization. She is also the co-founder of the Coalition Against Stalkerware and has published extensive research on malware. In her keynote address, she emphasized the importance of diversity among product developers to avoid launching a product with significant blind spots like Apple’s AirTags being used by stalkers and other abusers, an example Eva explores in depth. Eva’s call to action for those working in cybersecurity is to think about how to protect the most vulnerable and least tech-savvy users of your product while you design it, not as an afterthought once the damage has been done.
“We need to use our power as cybersecurity professionals to protect the people at the margins whose concerns are really not brought to the center at the design stage or, indeed, at any stage in the technology development process.”
Eva offers the following 5 product design principles by Lesley Nuttall from IBM’s Security Labs for how to combat domestic abuse:
Start with diversity: The more people in the room making decisions about your product, the more use cases you will be able to identify.
Privacy & choice: If there is only one product that does the thing you need, then you don’t have a choice. Users must be able to make informed decisions about privacy settings.
Combat gaslighting: Timely notifications and auditing are essential.
Security & data: Users should understand who has access to their data and be able to cut someone off quickly and decisively.
Technical ability: Take into account all levels of technical ability so that one user cannot be controlled by another because they don’t know how to use your product.
Kevin Mitnick is well known for eluding the FBI for many years in the 1990s until he eventually served a 5 year sentence for hacking crimes. He has since reformed and now leads penetration testing to help companies find security vulnerabilities and address them.
Decades before encrypted messaging apps were around, as a teenager Kevin and his friends would do “phone freaking” - finding workarounds through the phone companies’ computer systems so they could call a designated number and talk anonymously. Then in college, he hacked his first password - his professor’s password. To learn more about Kevin’s story, see his book Ghost in the Wires.
In his current line of work, he deploys social engineering and other phishing attack simulations: “Trust is critical to deception. If you can get the target to trust you, the deception is likely to work.” The way for businesses and individuals to defend against an attack is security awareness training or to increase physical security requirements like YubiKeys, “it’s either training, YubiKeys, or both.” The human element is the weakest link in security. Kevin also demonstrated how his team compromises machines for clients who store their passwords directly in a browser.
The best defense to protect yourself from hackers? Hacker Kevin recommends “combining password manager with FIDO2 with a YubiKey or security token that you have to plug into the machine to authenticate yourself.” For any passwords you need to remember, he recommends using a sentence with spaces and punctuation for your passphrase because they are 1) easier to remember and 2) very hard to guess.
The conference also featured four case studies from Bitwarden users Greenpeace, Bitdefender, Ocrolus, and InMotion Hosting.
Ernesto Berger explained the process Greenpeace has gone through to prevent hacks, implement encrypted communications, and establish security training while avoiding security paralysis for their employees. If a security process is too difficult, complex, or cumbersome, employees are likely to sidestep it while doing their jobs. Bitwarden helped them improve security without burdening their teams by providing security that is easy to use.
According to Mihai Talmacel from Bitdefender, “cybersecurity is becoming mission critical for businesses of all sizes.” He emphasizes that proprietary and open source software “are not competitors, but partners that can work together.” In order to be in business today, you need technology, and, in line with Mikko Hypponen’s comments at the start of the summit, he reminds us that “technology comes with risk.” Mihai encourages businesses to set up security training for employees using free material from the security community if cost is a blocker. Bitdefender ultimately chose Bitwarden for their password management solution because of the trust that comes with being open source.
To prevent the use of shadow IT, Julian Cohen, VP of security and CISO at Ocrolus believes, “the most effective control is a password manager.” Julian’s team also uses SCIM and automatic provisioning and provides security training to educate employees on “why it’s effective, how it keeps your account secure, how it’s easier than managing passwords in your head or using the same password for different accounts.” His advice to businesses: identify what you have and what you need to avoid “engineering yourself to death” by implementing every kind of tool. Identify what is most important to your business and prioritize that first.
Noah Ablaseau, SysOps senior platform and security engineer at InMotion Hosting said his team chose Bitwarden for their password management solution due to issues they’d had with other solutions being too technical for non-technical users. They’d found many “users will often substitute security for convenience when left to their own devices.” For those users, providing them with “security via Trojan horses” that enables them to do their jobs without interruption or with increased ease rather than increased difficulty means they will actually use it: “they don’t really care whether or not they’re being secure. It’s just easy.”
For Noah and his team, understanding users and their needs is the most important piece to getting started with a security option that works for your team and keeps your business secure. From his experience, “the worst thing that can happen is to have a user base afraid to report that they made a mistake,” if they don’t feel comfortable coming forward, you won’t have the opportunity to provide additional training or address security gaps.
The Open Source Security Summit is a forum for intersectional conversation across industries and borders. The 2022 summit featured speakers from Proton, the FIDO Alliance, CISA, SeMI Technologies, RaivoOTP, Cryptomator, and Cryptpad.
Daniel Huigens, cryptography team lead at Proton, elaborated on how and why to build web apps that you can trust, like ProtonMail. End-to-end encryption is the foundation for building this trust that your data is secure. Open source means that you don’t have to take for granted that a tool or platform is actually using end-to-end encryption, you can see if that is the case in the source code itself.
David Turner, director of standards development from the FIDO Alliance explained the importance of moving away from security that is purely knowledge based, like only using a password to secure your account, to include possession-based security measures (referred to as the “something that you have” form of authentication). Combining different factors like something you know (password) with something you have (security key) leads to stronger security. Using password managers that can generate and securely store strong and unique passwords for every account is the first step toward securing yourself and your business.
Allan Friedman, senior advisor and strategist from the Cybersecurity & Infrastructure Security Agency (CISA) detailed transparency in the software supply chain, noting that many people use open source software without realizing it is open source. Allan points to the importance of consumers and employees knowing what tools they are using because transparency alone won’t keep users secure, but it enables teams to perform proper risk management.
For example, “If I go out and buy a Twinkie, it's going to come with a list of ingredients. Why don't we expect that same level of transparency that we get from a non-biodegradable snack that we would expect in the software that runs our world, our critical infrastructure, and our most important systems.”
Knowing the ingredients in your software supply chain doesn’t mean you will “stick to your diet” or never find vulnerabilities, but it does mean that you will have a better idea of what to look out for as you build your company’s security systems or your personal digital footprint.
Bob van Luijt, CEO of SeMI Technologies and vocal supporter of the business model of open source software, explained how “building a community around your product is a powerful tool” to learn how your customers are using the product and what they want from it in the future. Making your product open source lowers the barrier to build a community.
Tijme Gommers, product lead adversary simulation at Northwave Security and the creator of RaivoOTP, highlighted the reasons for creating an open source product and how RaivoOTP contributes to the transition to a passwordless future. By making RaivoOTP open source, he has been able to improve the codebase and quality. On one hand, he acknowledged that “closed source competitors, of course, have the advantage of security by obscurity.” However, “open source products have the potential of being more secure than closed source competitors,” due to the much wider opportunity for review. The more people are interested in the security of your product, the faster you will find and fix any potential vulnerabilities.
Collaboration & Privacy
David Benquė, design lead at Cryptpad, an open source collaborative office suite with end-to-end encryption. David notes that remote working collaboration is a baseline expectation for many companies now but these tools are not always discussed in relation to privacy. While there are privacy downsides to using free collaboration tools or self-hosted tools, CryptPad encrypts information in the client without leaving anything readable on the user’s device.
Sebastian Stenzel, CTO at Skymatic spoke about the platform Cryptomator and whether there can be too much security. Cryptomator is an open source project specializing in encrypting files before uploading them to the cloud. For Sebastian, “open source is absolutely essential for security tools. We need the transparency, especially when working on cryptography. So there’s no need to trust our claims; you can check the source code.” He introduced the difference between gross security, the policies, tools, and systems we put in place in our companies, and net security, all of those systems plus the human factor. If a company’s security policies overly burden their employees or under-educate them, there will be a drop in net security regardless of the gross security systems in place.
The best way to accommodate the human factor? Make sure your tools and policies don’t outpace the adoption rate within your teams.
One simple yet powerful first step toward protecting yourself and your loved ones online is to use a password manager. Get started today with a free individual account or start a business trial for your team.
Stay connected with Bitwarden to get notified when the session recordings from this event are available and to learn about more cybersecurity events and resources like this!
See you at the Open Source Security Summit in 2023!