An In­ter­view With Jo­erg Si­mon, Fedora Se­cu­rity Lab Cre­ator

Open source is mak­ing things eas­ier for se­cu­rity pro­fes­sion­als. But choos­ing soft­ware to check vul­ner­a­bil­i­ties still seems dif­fi­cult for many de­vel­op­ers. Jag­meet Singh of OSFY spoke to Fedora fel­low, Jo­erg Si­mon, who cre­ated Fedora Se­cu­rity Spin, to discu

OpenSource For You - - Front Page -

Q

What was the idea be­hind cre­at­ing the Fedora

Se­cu­rity Lab?

The orig­i­nal idea be­hind de­vel­op­ing Fedora Se­cu­rity Lab (FSL) was to pro­vide the same se­cu­rity tools and se­cu­rity re­lated soft­ware that we main­tain in Fedora as a ready-to-go, of­fi­cial Fedora se­cu­rity re­lated re­lease. Be­sides the of­fi­cial spin, we cre­ated a pack­age group for the Fedora repos­i­to­ries to have it bun­dled with the Fedora in­stal­la­tions and to pro­vide the group in­stall fea­ture.

It was just a tech­ni­cal show­case of Fedora se­cu­rity fea­tures and tools, in the be­gin­ning. But to­day, the same group is in­volved in a small sub-project of its own.

Ini­tially, I wanted to have FSL for teach­ing stu­dents and giv­ing talks on se­cu­rity along with my favourite Se­cu­rity Test Plat­form. But some­thing was miss­ing — the tar­gets to test.

You can­not just test in the wild, with­out penal­ties. Help came from my co-main­tainer, Fabian Af­folter. He cre­ated the ‘Fedora Se­cu­rity Lab Test Bench’ that pro­vides the coun­ter­part to the orig­i­nal FSL, and lets you use it in a class­room en­vi­ron­ment on tar­gets with built-in lim­i­ta­tions.

It was very clear from the be­gin­ning that FSL, as a plat­form for pro­fes­sional se­cu­rity testers, can only be a start­ing point. To fill this gap with­out vi­o­lat­ing any Fedora guidelines, we also pro­vide play­books to sim­plify the in­stal­la­tion process of tools with a very fast de­vel­op­ment cy­cle, and to add more fea­tures.

Q Vul­ner­a­bil­i­ties in soft­ware often grab the head­lines.

How can open source soft­ware help de­sign an ef­fec­tive se­cu­rity so­lu­tion?

The par­a­digm of se­cu­rity so­lu­tions is con­ser­va­tive in it­self. Se­cu­rity so­lu­tions, as we know them to­day, often fail be­cause they fo­cus on threads de­rived from risks, which are dy­namic. In­stead, they should fo­cus on the as­sets first.

Com­mer­cial se­cu­rity so­lu­tions providers also have the bur­den of con­vinc­ing you that you have a par­tic­u­lar prob­lem and that you need the so­lu­tion in the first place. Later, they need to sell you the same prod­uct all over again, the next sea­son.

Tech­ni­cally, ev­ery so-called se­cu­rity so­lu­tion is just a rag­bag of soft­ware, which puts up some se­cu­rity con­trols —whether you need them or not is a dif­fer­ent ques­tion.

Be­cause you can al­ways ac­cess, re­view and change the code, the ben­e­fits of us­ing open source are ob­vi­ous and proven. Es­pe­cially, back­doors and de­sign flaws, like in en­cryp­tion, can be de­tected much more eas­ily and will often be fixed in a very short time.

Q Do you think it is open source that makes not just Fedora Se­cu­rity Lab but sev­eral other pen­e­tra­tion test­ing so­lu­tions suc­cess­ful in the cur­rent mar­ket?

Free and un­lim­ited ac­cess, of course, is one prime rea­son to make pen­e­tra­tion test­ing so­lu­tions suc­cess­ful in the mar­ket, whereas com­mu­nity-driven doc­u­men­ta­tion and to-dos are the other rea­son.

I also think that most open source tools ex­ist be­cause the cre­ator just needed these to get real work done with­out fo­cus­ing on profit. With the UNIX phi­los­o­phy in mind, which is, “Write pro­grams that do one thing and do it well,” we have an ex­ten­sive col­lec­tion of tools that do ex­actly that. Bundling the good tools to work well to­gether and out-of-the-box makes the so­lu­tion a suc­cess.

Q

You have built an ac­tive com­mu­nity around var­i­ous de­vel­op­ments re­lated to open source so­lu­tions. Why is there a need for a com­mu­nity to main­tain a plat­form like Fedora Se­cu­rity Lab?

Hav­ing a real world use-case is im­per­a­tive. If you do not have a com­mu­nity of users, you will not be able to de­velop a com­mu­nity of con­trib­u­tors. For in­stance, stu­dents often choose to write an open source tool for their project work at their univer­sity, but these tools are not main­tained after­wards be­cause a com­mu­nity is miss­ing.

I am quite cer­tain that with­out peo­ple like Fabian Af­folter and many con­trib­u­tors from the Fedora In­fra­struc­ture Team, who re­ally care and are work­ing on it busily all the time, the FSL project would not last long.

Q How do you han­dle com­mu­nity en­gage­ments to en­hance the fea­tures of Fedora Se­cu­rity Lab?

Hav­ing a con­trib­u­tor-friendly ecosys­tem keeps the project run­ning. A lot of con­tri­bu­tion for FSL comes from the com­mu­nity of the Fedora Project it­self. You will find all the new fea­tures that come with the op­er­at­ing sys­tem in FSL as well.

We host our re­lated con­tent for FSL on the fe­do­ra­host. org web­site. Its tech­ni­cal show­case is built by the Fedora build servers, while the Fedora de­sign, mar­ket­ing, web­site and am­bas­sador group help to spread the word.

Peo­ple who want to con­trib­ute to FSL di­rectly can do that by joining the Fedora Project in the Fedora Ac­count Sys­tem. They can then con­trib­ute con­tent di­rectly to our FSL group — to the doc­u­men­ta­tion team, as a pack­age main­tainer or to an­other group within Fedora. In any case, we are ap­proach­able for men­tor­ing. Q What are your plans for ex­pand­ing Fedora’s pres­ence in In­dia?

Mak­ing FSL a part of the Fedora Project is my plan to ex­pand the en­tire plat­form. The nice side-ef­fect is that I can teach about what I know well, which is in­for­ma­tion se­cu­rity. And I can teach it along with my favourite plat­form, FSL, and my favourite method­ol­ogy the Open Source Se­cu­rity Test­ing Method­ol­ogy Man­ual (OSSTMM).

As and when time and bud­gets al­low me, I often travel through my beloved In­dia, giv­ing talks and teach­ing at uni­ver­si­ties and con­fer­ences re­gard­ing FSL. I con­sider my­self a part of the In­dian null se­cu­rity com­mu­nity and the Fedora com­mu­nity.

I have trav­elled to In­dia at least once a year since 2009 to spread the word. I teach for free — if there are charges or cer­ti­fi­ca­tion fees, they go di­rectly to the com­mu­ni­ties, and en­able more re­search and de­vel­op­ment.

You can­not just test in the wild, with­out penal­ties.

Q What is the prime tar­get au­di­ence for Fedora Se­cu­rity Lab? Also, where does In­dia fea­ture in your au­di­ence?

I think FSL is the per­fect plat­form for teach­ing se­cu­rity test­ing. This rec­om­men­da­tion clearly goes for teach­ers, stu­dents and var­i­ous se­cu­rity testers who want to use Fedora as their base OS for test­ing.

If I give a piece of train­ing in Ger­many, it can hap­pen that I have 30 pro­fes­sors in the train­ing round but not a sin­gle stu­dent. How­ever, this is not the case in In­dia.

In In­dia, dur­ing a talk, it can eas­ily be 200 stu­dents, pro­fes­sion­als and more. So In­dia is my No. 1 au­di­ence.

Q As you have been a men­tor for Fedora Project con­trib­u­tors, have you seen some In­di­ans mak­ing ma­jor con­tri­bu­tions to­wards the open source ven­ture?

The in­ter­est­ing thing with men­tor­ing is that you are a men­tor and be­ing men­tored at the same time. I could at­tach a long list of peo­ple who I con­sider valu­able for the open source move­ment. I am sure I would miss some­one im­por­tant. So I only want to men­tion Atul Chitnis — who passed away much too soon — as one who built and shaped the open source ecosys­tem on In­dian soil sig­nif­i­cantly.

I con­sider my­self a part of the In­dian null se­cu­rity com­mu­nity and the Fedora com­mu­nity.

Q Do you think state gov­ern­ments need to tar­get se­cu­rity to avoid in­stances of Heart­bleed, Shell­shock and POO­DLE, in the fu­ture?

I think hav­ing a clear cy­ber-re­silience strat­egy is an im­per­a­tive role for ev­ery gov­ern­ment, not only to pro­tect crit­i­cal in­fra­struc­ture but also to pro­tect the pri­vacy of its cit­i­zens. My con­cern is that politi­cians are not fit to make a de­cent de­ci­sion in this field. And be­cause politi­cians are not ex­perts, they hire con­sul­tants who are more fo­cused on pro­long­ing the prob­lems to make more money. The Open Source Move­ment is the proper an­swer.

Open stan­dards like the OSSTMM are made with­out the con­flict of in­ter­est which we see with or­gan­i­sa­tions like ISO, AXELOS, ISACA or the (ISC)². The lat­ter fo­cus more on the money-mak­ing side of stan­dards and cer­ti­fi­ca­tions, in­stead of work­ing to­gether to make things right.

Q How is Fedora Se­cu­rity Lab dif­fer­ent from other sim­i­lar pen­test dis­tros such as Kali Linux and Back Box?

I have not re­ally looked into the other dis­tros so I might be wrong in my an­swer, but the dif­fer­ence could be that we are an RPM-based dis­tro. We also fo­cus on test­ing method­olo­gies, and on teach­ing along with a test-bench that pro­vides vul­ner­a­ble ser­vices and ap­pli­ca­tions for test­ing pur­poses.

We have a fast pace with the Fedora project re­lease cy­cle of six months, which might also be a dif­fer­ence. I see the FSL more as a start­ing point to build your own RPMbased se­cu­rity test­ing plat­form than a sim­ple pen­test dis­tro.

Q Apart from of­fer­ing Fedora Se­cu­rity Lab, you also teach Fedora Se­cu­rity and the Open Source Se­cu­rity Test­ing Method­ol­ogy Man­ual (OSSTMM). How easy is it to ed­u­cate peo­ple about con­cepts like pen­e­tra­tion test­ing and se­cu­rity as­sess­ment?

The OSSTMM breaks with a lot of con­ven­tional se­cu­rity think­ing. It is a sci­en­tific ap­proach and, for sev­eral peo­ple, it is not easy to ac­cept a new truth, at first. As soon as the prac­ti­ca­bil­ity of the OSSTMM is demon­strated and you start us­ing it in your daily work, you see the proper test re­sults and you un­der­stand how it helps to be­come a much bet­ter se­cu­rity tester or se­cu­rity an­a­lyst.

In my opin­ion, it is easy to teach in re­gions like In­dia be­cause peo­ple are hun­gry for knowl­edge. But teach­ing se­cu­rity prac­tices is also chal­leng­ing, be­cause peo­ple will not ac­cept method­olo­gies that do not work for them.

Q Con­sid­er­ing the present job sce­nario in the IT in­dus­try, what is your opin­ion about se­cu­rity test­ing as a ca­reer?

It is awesome to have a ca­reer in se­cu­rity test­ing, but be­fore you learn how to de­stroy or ma­nip­u­late some­thing, you should learn how to build and main­tain it first. It is much harder to main­tain a se­cure in­fra­struc­ture than to find a flaw in this in­fra­struc­ture. So the ad­mins who are able to main­tain a se­cure en­vi­ron­ment are the real su­per heroes.

Q Why should en­ter­prises nowa­days fo­cus more on se­cu­rity rather than on ex­pand­ing their ex­ist­ing oper­a­tions?

The op­er­a­tional busi­ness will al­ways come first, but op­er­a­tional se­cu­rity is the vi­tal part of keep­ing it run­ning.

Un­for­tu­nately, in my ex­pe­ri­ence, what en­ter­prises in­vest in se­cu­rity anal­y­sis is often not even one per cent of their rev­enue. In­stead, en­trepreneurs in­vest in more se­cu­rity so­lu­tions: “Yeah, just let us buy an­other fire­wall or IDS.” En­ter­prises that fo­cus more on cy­ber se­cu­rity than on other se­cu­rity chan­nels are mak­ing a mis­take.

With the ex­plod­ing num­ber of breach of trusts that we have from dif­fer­ent se­cu­rity chan­nels, a se­cu­rity strat­egy needs to con­sider all these new vec­tors and fig­ure out how to mea­sure them and make the process trans­par­ent. Even to­day, I be­lieve the eas­i­est and most suc­cess­ful way to breach se­cu­rity is through the hu­man chan­nel (so­cial en­gi­neer­ing).

An­other mis­take is to rely on com­pli­ance and stan­dards too much. While com­pli­ance as­sures av­er­age qual­ity and se­cu­rity stan­dards, which is good, it can also be a threat that can dis­able the op­er­a­tional busi­ness from one day to an­other. Be­ing com­pli­ant does not mean you are se­cure, and be­ing se­cure does not nec­es­sar­ily mean that you are com­ply­ing with the re­quired reg­u­la­tions or stan­dards ei­ther.

Q Lastly, how has the field of pen­e­tra­tion test­ing and se­cu­rity as­sess­ment evolved in the re­cent past?

I think the se­cu­rity com­mu­ni­ties have be­come more pro­fes­sional, which is good and bad at the same time. You end up with con­flict­ing pres­sures of hav­ing fun, be­ing a proper tester or mak­ing money.

What con­cerns me a bit is the trend of ex­ter­nal bug bounty pro­grammes run by big ven­dors that are very pop­u­lar in In­dia. Some might see this as an evo­lu­tion. In my opin­ion, bug boun­ties are a bad way to deal with se­cu­rity and with peo­ple. It fo­cuses on the lim­i­ta­tions, and you get paid only if you find a bug. And cor­po­rates even save money by out­sourc­ing these pro­grammes — part­ner­ing with bug bounty bro­kers or co­or­di­na­tors.

I want to cite my men­tor Pete Her­zog here: “In street eco­nom­ics, it is just called pimp­ing.” This means proper and com­plete test­ing is con­sid­ered not worth pay­ing for any­more. I am con­vinced that if this trend be­comes in­creas­ingly suc­cess­ful, and if more and more fol­low this model, the pay­ments will break down, and the qual­ity of lim­i­ta­tions found will get worse. That, of course, is bad for se­cu­rity.

Jo­erg Si­mon, Fe­dora Se­cu­rity Lab cre­ator

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.