Highlights from the Open Source Security Summit 2024

Learn more about the annual Open Source Security Summit.

The fifth annual Open Source Security Summit, held in September 2024, united participants from around the world through expert-led deep dives into the many ways open source software enhances trust and security through collaboration and transparency. Highlights from this year included special guests Keren Elazari, the friendly hacker, and author and cybersecurity journalist Kim Zetter.

To check out previous summits, many session recordings are available for 2023, 2022, 2021, and 2020 at opensourcesecuritysummit.com or on the Bitwarden YouTube channel. 

Keren Elazari champions the idea that we have a lot to learn from hackers and that friendly hackers are here to help. In her 2014 TED Talk, she introduced the concept of “hackers as the immune system for our digital age.”

Elazari’s keynote delved into the current and future threats posed by generative AI. The solution: open and engaged communities.

“I think this is absolutely crucial for our future: to have openness, to have the ability to collaborate with hackers and look at AI models. The hacker mindset is critical for our future, and it is one that, in fact, demands visibility and openness.”

She warns that because malicious versions of large language models (LLMs) and generative AI tools have no guardrails, malicious actors can exploit them to write malware. Recent years “have proven that cybercriminals are some of the most creative, innovative, and adaptable people out there.” This “criminal renaissance” is a call to action for the entire cybersecurity industry to do better, particularly around the security implications of generative AI. While there are benefits to this technology – for example, malicious tools “can be used for security research and to legitimately push forward the boundaries of technology” – these tools do not offer oversight or insight into their use. 

“Some people say life is like a box of chocolates; I think right now, with AI, you really never know what you're going to get. We are in the midst of all that happening and shaping, and it's incredibly exhilarating but also a little bit terrifying.

With the rise of generative AI, we are ushering in the no-code or low-code revolution, as these tools offer more and more programming assistance. According to a recent Gartner report, the number of applications and programs not written by humans will continue to rise dramatically. As more people without an engineering background write code, the number of vulnerabilities will likely increase. If the person using AI to generate code is not an expert, that leaves room for security challenges and misconfigurations, which means there will be more exploits: “People used to say software is eating the world. What is happening now is - AI is eating software.”

The path forward through this new domain is the same as it has always been: together. 

“We have to find tools as a community to collaborate to deal with the accelerating pace of change, with the growing speed of how many vulnerabilities will be discovered, and how quickly AI is being developed to create attacks that jeopardize our trust.”

Elazari advises developers and businesses to evaluate the layers of their tech stack. Ensure you trust each tool and the supply chains they rely on because they are all interconnected. “It’s turtles all the way down. If we can't trust one layer, how can we trust any of the layers above it? We have to find a way to build that stack of turtles, or to build that stack of tools, of capabilities, to see what's going on, to understand, to have visibility into our code, visibility into our technology, in order to be able to build that trust.”

Kim Zetter is an award-winning journalist and author with 15 years of experience reporting on national security and cyber security. In her fireside chat with Brian Gentry, VP of engineering at Bitwarden, she outlined the state of global security challenges, threats, and trends, from corporate espionage to fraud. She also discussed ransomware tactics and how individuals and companies can stay safe by implementing well-known and accepted best practices.

When it comes to the global hacking landscape, according to Zetter, “a lot has changed, and really nothing at all has changed in many ways . . . Hackers are still getting in the same ways as they have in the past, through phishing attacks and things like that.” However, she notes that skill sets worldwide are rising alongside new technological developments.

Zetter predicts business email will remain a primary target for ransomware, with the largest known payment of 75 million reported this year: “That's still where the gold is. It's where intelligence is. It's where corporate secrets are. It's where sensitive data is - information about lawsuits, mergers and acquisitions, new products, HR issues, health issues - the jewels of most entities.” 

The good news? Taking simple steps to secure digital assets is extremely effective against most attacks: “The average consumer has been well-educated on two-factor authentication. If your grandmother and your mother are using 2FA for their personal accounts, it's really remarkable that businesses are not using it.” Third-party vendors that managed Snowflake accounts for companies like Ticketmaster did not require 2FA by default.

Zetter urges that the responsibility is on the companies offering a service, on those who create the tools that secure our world, to build security into user workflows, and mandate best practices for customers who may not know better. She points to a sense of laziness alongside a lack of training that leads to exploitable processes.

“If companies are being trained that this is the process you have to use, regardless of whether it is mandated by your provider. If that is the practice and it’s in your training, then you'll do it.

If it's not hammered in from the top down that this is absolutely the minimum that you need to do, then, of course, workers are not going to do it.”

Zetter recommends that businesses seek advice from CISA and the FBI because most organizations’ crisis response is “still quite reactionary. Companies are not taking measures in advance, and they're just responding to the attacks.” She cautions that many businesses cave to ransomware demands after realizing, too late, that they will be unable to access the data on their backup in time to keep their business running.

“Companies need to be better at doing tabletop exercises - not just doing the backups, but also having a plan in place that they can practice for how they're going to respond.

Who are the people that are going to be contacted? What are you going to do for publicity to convey to customers and employees when this has happened? If all of your systems are locked down, what are your emergency measures?”

Ready to take the next step toward protecting your business and yourself online? Get started with a free individual account or start a business trial.

Connect with the Bitwarden community to stay informed about future events and additional cybersecurity resources!

See you at the Open Source Security Summit in 2025!