Monthly Archives: June 2017

Choosing secure open source packages

by

I wrote a pair of blog posts for work that came out last month!

Many developers don’t feel qualified to make security decisions. In many ways, that’s a perfectly healthy attitude to have: Security decisions are hard, and even folk with training make mistakes. But a healthy respect for a hard problem shouldn’t result in decisions that make a hard problem even harder to solve. Sometimes, we need to recognize that a lot of architectural decisions in a project are security decisions, whether we like it or not. We need to figure out how to make better choices.

The posts are about how to do very simple security risk assessments on open source packages, so you can make more informed choices about what you include in your code and get a sense of what makes a library look scary to security folk. They’ve got lots of real life examples of things we’ve seen, good, bad and embarrassing, and there’s a nice scorecard at the end that you can use to help you do quick assessments of your own. There are even some cat memes included!

I’m pretty proud to be able to share some of the things we’ve learned about open source security risk with the greater world and these posts fall in the category of “things I’ve made” so I thought I’d link them here. Hope you like them!

Is Open Source Software Really More Secure? (Pycon Pune 2017 Keynote)

by

Back in February, I keynoted at Pycon Pune in India. I decided to start with one of the questions that comes up frequently when I tell people that my day job is in open source security: “Is open source software really more secure?” Here’s the video!

Hopefully one of these days I’ll get the slides and a written transcript up, but for today, please just enjoy the video. Note that there’s some silence at the start of the video while we’re setting up. I start talking at the 1m50s mark, and the embedded video should start there.

Pycon Pune Group Photo

Open source security is something I’m very passionate about, and I was really glad that the fine folk at PyCon Pune gave me the chance to tell their attendees more about what it means to be secure and what it will take to make open source security even better. I believe there were over 500 people in the room for my talk, even though I was the the final keynote for the conference, and it was one of the greatest audiences I’ve ever had the privilege to talk to — very responsive, lots of great questions, and lots of great follow-ups after the talk was done. If you ever get a chance to speak at Pycon Pune, I highly recommend it. Keep an eye out for next year’s call for speakers!

This also ticked off a few bucket list items for me:

  1. Visting India! I work with a number of people from India and meet new students from there nearly ever year, so I’ve always been curious, but it’s a long an expensive trip. Thankfully it turns out it was also on J’s bucket list so we found a way to make it happen. It’s a super beautiful country and very different from my own. We were fortunate enough to spend some time being tourists before the conference, as well as lots of time socializing with the conference attendees and volunteers.
  2. Keynoting a conference! I’ve wanted to do this for years but opportunities don’t come up very often and I wasn’t able to accept the last offer I got.

PS – Interested in inviting me to keynote? I’d love to do another one! Send an email to terri (at) toybox.ca to let me know. I have a list of my speaking experience on my website. I talk a lot about security, but I’m happy to talk about open source mentorship, community, artificial intelligence, and quite a few other things, just ask!