When Many Eyes Fail You: Tales from Security Standards and Open Source

*
Accepted Session
Short Form
Beginner
Scheduled: Tuesday, June 24, 2014 from 10:00 – 10:45am in B202/203

Excerpt

It's often said that "given many eyes, all bugs are shallow" and open source proponents love to list this as a reason that open source is more secure than its closed-source relatives. While that makes a nice sound bite, the reality of security with many eyeballs doesn't fit so nicely into a tweet. This talk will explore some of the things that surprised me in going from academic security research to industry security research in open source and open standards.

Description

I recently fled academia because I felt like I could have a higher impact on real-world computer security if I worked in industry. It’s a bit too early to tell if that’s true, but I’d like to talk about some of the things that surprised me about moving to being paid to do security for open source and working with standards, while I’m still looking at it with an outsider’s eyes.

It’s often said that “given enough eyes, all bugs are shallow” and open source proponents love to list this as a reason that open source is more secure than its closed-source relatives. While that makes a nice sound bite, the reality of security with many eyeballs doesn’t fit so nicely into a tweet.

We may have many eyeballs, but do they know what to look for? Do we really have many eyeballs when some people are often afraid to make uninformed security judgements (and others are all too willing)? It’s one thing to win a bug bounty for cracking a commercial product, but what’s the payoff that encourages people to read through lengthy W3C standards to ensure that they don’t leave huge gaps in security and privacy of the products that will implement them? What happens if you create a standard and no one reads it?

I’ll tell some tales from the trenches of my work with the W3C, and talk about some of the side-channel ways that security takes shape even when it’s being done in public.

Tags

security, standards

Speaking experience

This is a brand new talk, although I may blog about the topic before the conference.

As a former academic, I used to give a lot of talks on my work to both the scientific community and more general audiences. People were often shocked that they weren't boring. ;) I also have done open source talks about my work with GNU Mailman at Linuxcon, as well as many talks geared for open source outreach, including to women in computing venues.

I have an older list with my talk abstracts and slides here: http://terri.zone12.com/speaking/

Speaker

  • Biography

    Terri has a PhD in horribleness, assuming we agree that web security is kind of horrible. She stopped working on skynet (err, automated program repair and artificial intelligence) before robots from the future came to kill her and then she got a job in open source, which at least sounds safer. Now, she gets paid to break things and tell people they’re wrong while working towards more secure open source and open web standards. She doesn’t get paid for her work on GNU Mailman or running Google Summer of Code for the Python Software Foundation, but she does those things too.

    Sessions