Vulnerability Scanning for Free (as in Puppies)

I’m giving a talk at pyCascades this afternoon and I just wanted to share the slides for folk who like that kind of thing.

PDF: https://drive.google.com/file/d/125cCmmk8k5UtfV3QajNOXml1YW5nxM2i/view?usp=sharing

ODP (LibreOffice Impress) : https://drive.google.com/file/d/1u3_5LQUYYPiv9hSCbcgG_gOGn96a-di2/view?usp=sharing (Contains notes but they’re an early talk draft)

Google Docs version (not the original, probably has minor formatting issues but may be easier to view on your phone) : https://docs.google.com/presentation/d/149coIJnNdIsW7NWkQjv5jaKAHboHBxVLgx2lOS2oZfk/edit?usp=sharing

CVE Binary Tool source repository: https://github.com/intel/cve-bin-tool

CVE Binary Tool documentation: https://cve-bin-tool.readthedocs.io/

The slides below are just images (no alt text or notes — if you want those see the ODP link above). I’m planning to update them with something closer to the talk content after the conference but it might take a while.

Video of my Python Security Tools talk at PyCon 2019

I’m hoping to put together a post with all the text of my talk and slides in a non-video format (because I like having my talks in non-talk format!), but in the meantime, enjoy the video of the talk I gave at PyCon this year!

The talk is on Python Security Tools, because I found at work that we didn’t have good training on how to secure Python, and when I went to fix that, I found out that even Google searches for “how do I secure python?” weren’t telling people the things I think they should know about securing their python code.  So clearly there’s a need!

Abstract:

While high-level security concepts may transcend languages, each language has its own sets of tools and edge cases that are worth knowing. Python is one of many popular languages that is rarely the focus in security training, but that doesn’t mean python code is automatically secure (no matter what the internet tells you). Learn why people who say “pylint will help you with security” aren’t doing you any favours, how to use Bandit for security-focused linting and talk about other options for static analysis. Take a deeper look at why scanning for publicly known vulnerabilities is complicated, and how to use Pyup Safety to make it easier. We’ll also explore some language myths and best practices

On a personal note, speaking at PyCon is something I’ve wanted to do since my first PyCon back in Santa Clara in 2012, so I was super excited to get accepted this year!

Is Open Source Software Really More Secure? (Pycon Pune 2017 Keynote)

Back in February, I keynoted at Pycon Pune in India. I decided to start with one of the questions that comes up frequently when I tell people that my day job is in open source security: “Is open source software really more secure?” Here’s the video!

Hopefully one of these days I’ll get the slides and a written transcript up, but for today, please just enjoy the video. Note that there’s some silence at the start of the video while we’re setting up. I start talking at the 1m50s mark, and the embedded video should start there.

Pycon Pune Group Photo

Open source security is something I’m very passionate about, and I was really glad that the fine folk at PyCon Pune gave me the chance to tell their attendees more about what it means to be secure and what it will take to make open source security even better. I believe there were over 500 people in the room for my talk, even though I was the the final keynote for the conference, and it was one of the greatest audiences I’ve ever had the privilege to talk to — very responsive, lots of great questions, and lots of great follow-ups after the talk was done. If you ever get a chance to speak at Pycon Pune, I highly recommend it. Keep an eye out for next year’s call for speakers!

This also ticked off a few bucket list items for me:

  1. Visting India! I work with a number of people from India and meet new students from there nearly ever year, so I’ve always been curious, but it’s a long an expensive trip. Thankfully it turns out it was also on J’s bucket list so we found a way to make it happen. It’s a super beautiful country and very different from my own. We were fortunate enough to spend some time being tourists before the conference, as well as lots of time socializing with the conference attendees and volunteers.
  2. Keynoting a conference! I’ve wanted to do this for years but opportunities don’t come up very often and I wasn’t able to accept the last offer I got.

PS – Interested in inviting me to keynote? I’d love to do another one! Send an email to terri (at) toybox.ca to let me know. I have a list of my speaking experience on my website. I talk a lot about security, but I’m happy to talk about open source mentorship, community, artificial intelligence, and quite a few other things, just ask!

Taking No for an Answer (Open Source Bridge 2016 talk)

I gave one talk and ran one tutorial at Open Source Bridge 2016 back in June. For those of you not familiar with it, Open Source Bridge is an open source conference with a focus on “open source citizenship” that leads to a great combination of technical and social thought from people who are part of the open source community. My favourite part is actually the super chill hacker lounge, where it’s quiet enough to actually talk, and it’s totally cool to meet new friends around the lego table or bring my knitting. I don’t mind a few alcoholic conference mixers, but I have to say I meet and remember way more people at open source bridge than many other conferences.

Talk I gave this year, entitled “Taking No For an Answer,” isn’t entirely open source specific, since it’s really about a bad community behaviour you see in many other communities, but the focus and my examples come from my work in open source. I can’t seem to find the audio recording they made, so this is reconstructed from my slide notes. You can find the whole slide deck here: Taking No For An Answer (Open Source Bridge 2016) slides.

Taking No for an Answer: a talk by Terri Oda at Open Source Bridge 2016

[Title Slide] Taking No for an Answer: a talk by Terri Oda at Open Source Bridge 2016

Open source (like many fields) rewards people who are confident and even a bit pushy. Those of us who go furthest are often those who offered to fix bugs and followed through, who were ready to argue about their architectural ideas on a mailing list or irc channel. In many ways, open source is do-ocracy, where those with the time and the confidence to do things become leaders. In volunteer led communities, it can often be the case that the quality or merit of the work isn’t the big focus: it’s whether it’s getting done by anyone at all.

[Slide 1] This slide shows a collage of book covers and articles related to confidence: "How to overcome impostor syndrome" "Women don't ask" "Lean in" "Closing the confidence gap" "The impostor syndrome"

[Slide 1] This slide shows a collage of book covers and articles related to confidence: “How to overcome impostor syndrome” “Women don’t ask” “Lean in” “Closing the confidence gap” “The impostor syndrome”

So because of this, In the tech world, there’s been a lot of focus on getting people to step forwards, negotiate, lean in, DO. This can be super valuable — sometimes people do need a reminder, need some tips, need an invitation to speak, need to evaluate their internal censor and not let it stop them. There’s a reason my google image search pulled up a bunch of stuff aimed at women: there’s been a lot of push to encourage folk who are under-represented or socialized not to step forwards.

[Slide 2] Slide shows the phrase "But what about the men?" in a bold, playful font

[Slide 2] Slide shows the phrase “But what about the men?” in a bold, playful font

So clearly, as in all discussions about women and minorities, it’s time to consider what about the men? (room laughs)

[Slide 3] reads "What about self-improvement for leaders?" and shows Superman and The Hulk action figures, apparently in the middle of an argument

[Slide 3] reads “What about self-improvement for leaders?” and shows Superman and The Hulk action figures, apparently in the middle of an argument

Okay, just kidding. But surely self-improvement isn’t just for folk who haven’t stepped up yet. What about self-improvement for people who are already leaders in our communities? What about training confident people to be better? So this talk is aimed not at our most vulnerable but at some of our more powerful, as well as those who want to become more powerful and effective community members.

[Slide 4] reads "So let's talk about NO" and has a picture of a sign with a person holding up a hand to indicate no.

[Slide 4] reads “So let’s talk about NO” and has a picture of a sign with a person holding up a hand to indicate no.

So, it looks like I have a great audience of existing and future community leaders. Let’s talk about no.

[Slide 5] reads "No is a powerful tool" and has a picture of a circular saw

[Slide 5] reads “No is a powerful tool” and has a picture of a circular saw

No is a powerful tool with many uses. In my professional life, I do open source security, and a lot of my job involves saying no: No, this code isn’t right. No, you can’t skip validation. In my volunteer life, one of the things I do is coordinate a large summer mentoring program for the python software foundation. No, you can’t have more students than you have mentors. No, you can’t sign up even though it’s past the deadline. And as a minority in tech, I say a lot of no. No, I’m not available to help you with more diverse hiring. No, I don’t have time to educate you on issues facing minorities in tech. No helps me do my job, manage my time, make my volunteer program better, and so much more.

[Slide 6] reads "Now, I'm a NO professional... But lots of folk are not." there is no image on this slide, only stark text.

[Slide 6] reads “Now, I’m a NO professional… But lots of folk are not.” there is no image on this slide, only stark text.

I get paid to say no: it’s a huge part of my job, and I’ve learned a lot about when to say no, how to say no, techniques to make it easier for people to accept no, when I need backup on saying no, etc. But while I’m a professional naysayer, that’s not true of a lot of other folk in our communities.

[Slide 7] reads "Saying no can be exhausting" with emphasis on the word exhausting.  There is a picture of a tired looking kitty on the slide.

[Slide 7] reads “Saying no can be exhausting” with emphasis on the word exhausting. There is a picture of a tired looking kitty on the slide.

And frankly, saying no can get pretty exhausting. It’s not at all helped by all those “but you should put yourself forwards!” self-help books, let me tell you. I had some dude give me a unsolicited pep talk at work about imposter syndrome and seriously, some people need to learn the difference between a lack of confidence and a knowledgable evaluation of personal skill. No is hard, especially if you’ve been socialized to be agreeable, and some people take advantage of that.. There’s a whole talk to be had about how to say no effectively, and maybe some day I’ll give it, but I feel like the people who might need some help saying no are mostly the same people who needed help saying yes, and I want to talk to the other people. The people who make saying no so exhausting, whether they mean to or not.

[Slide 8] reads "That's not really a security bug" and has a picture of a box that has a label that says "enjoy denial" in the style of a coke advertisement, and a "hello my name is denial" sticker in the style of a name sticker

[Slide 8] has a title of “1. denial” and a quote that reads “That’s not really a security bug” and has a picture of a box that has a label that says “enjoy denial” in the style of a coke advertisement, and a “hello my name is denial” sticker in the style of a name sticker

Let’s talk about some common anti-patterns you get when you say no. The first one is denial. I hear this a lot in my professional life: That’s not really a security bug. That’s not exploitable. No one would ever do that.

[Slide 2] has a title that reads "2. Anger" and a quote that says "Failing this will destroy my future career!" over a picture of a young man making weird face that could be interpreted as anger

[Slide 2] has a title that reads “2. Anger” and a quote that says “Failing this will destroy my future career!” over a picture of a young man making weird face that could be interpreted as anger

The second reaction to no is anger. I hit this one a lot when teaching and mentoring: students sometimes have been effortlessly at the top of their class and don’t know how to handle having to work for results. Or they just have no way to handle failure and dust themselves off to try again. So they yell at me. They yell at people who they think have power over me. They blame anyone but themselves for the fact that I’m telling them something they don’t want to hear, and let me tell you they *really* don’t want to hear that I’m not destroying their life, their poor performance is destroying their life. And I wish I could say it’s just students, but try telling a project that they’re going to miss their shipping deadline due to a late breaking security issue or their failure to do due diligence. This is totally an understandable response, but it’s not a productive response.

[Slide 10] has a title of "3. Bargaining" and a quote that says "can't you just do this one thing?" and a picture of an advertisement with a cartoon farmer saying "you'd be crazy to miss this bargains"

[Slide 10] has a title of “3. Bargaining” and a quote that says “can’t you just do this one thing?” and a picture of an advertisement with a cartoon farmer saying “you’d be crazy to miss this bargains”

Next is bargaining. The worst experience I have ever had saying no was to someone who exhibited both the denial and bargaining anti-patterns. She wanted me to run a program that I’d run in previous years, which is a totally reasonable thing to ask, but when I said I wasn’t available because of a more impactful commitment, she would repeatedly come to me with things and it was always “couldn’t you just” — “couldn’t you just look over the wiki?” “couldn’t you just help with this one part of the project” “couldn’t you just help this one person get set up” “couldn’t you just answer this question.” It was exhausting and awful, because I absolutely did not have the time to do these things, and I’d actually made it clear that I didn’t even have time to keep telling her no. And yet, the questions still came.

But bargaining can also be a useful and productive pattern. In my professional life, when I say no, it’s pretty normal to negotiate a solution together with the dev team. Even in that dreadful volunteer experience, my final out came by begging a friend to work with her — negotiating it so that there was a buffer of no between me and her so she had a resource willing to help her and I had the ability to do the other thing I had committed to do.

[Slide 11] has a title of "4. Depression" and a quote that reads "Well, if you can't help me, then this program will die" and a picture of a young woman sitting at a picnic table with her face in her hands

[Slide 11] has a title of “4. Depression” and a quote that reads “Well, if you can’t help me, then this program will die” and a picture of a young woman sitting at a picnic table with her face in her hands

And then there’s depression, which honestly can be both emotional manipulation as well true dismay.

[Slide 12] has a title of "5. Acceptance" and contains an artistic photo of a cheerful looking T Rex toy

[Slide 12] has a title of “5. Acceptance” and contains an artistic photo of a cheerful looking T Rex toy

And finally, of course, acceptance. If you haven’t already recognized them, as well as the 5 stages of no, that was also the 5 stages of grieving. It’s sort of disturbing how much they line up. But why do we need to think about no anti-patterns?

[Slide 13] reads "So few experts, so many asks" and contains no picture

[Slide 13] reads “So few experts, so many asks” and contains no picture

And the answer is that these anti-patterns harm our communities. In a situation where you have very few experts and many people asking, anti-patterns surrounding no contribute to communities denial-of-servicing our few experts. This happens to me as a security expert sometimes: I’ve had weeks where I wind up arguing with people about lousy decisions endlessly, so much so that I then don’t have enough time to do advanced secure code review, or help other groups triage security issues well. It happens to me a lot more than I would like.

[Silde 14] has a title "Causes of burnout" and then a copy of a slide by Cate Huston that has a picture of an owl and reads 1. lack of control 2. insufficient reward 3. lack of community 4. absence of fairness 5. conflict in values 6. work overload"

[Silde 14] has a title “Causes of burnout” and then a copy of a slide by Cate Huston that has a picture of an owl and reads 1. lack of control 2. insufficient reward 3. lack of community 4. absence of fairness 5. conflict in values 6. work overload”

My friend Cate has been giving a great talk on burnout and I just wanted to share this slide, which talks about the fact that burnout isn’t just caused by high workload. No is a great tool for avoiding high workload, but it’s also a great tool for avoiding being put in situations where you’ll be hit by the other 5 things on this list. That’s one of the reasons that it’s absolutely essential that leaders need to learn to take no for an answer so that their communities can actually be *healthy* and not burnout factories.

[Side 15] has a picture of a ballerina in a practice outfit holding a pose that requires strength and below the words "How do I accept a no with strength and grace?"

[Side 15] has a picture of a ballerina in a practice outfit holding a pose that requires strength and below the words “How do I accept a no with strength and grace?”

So how can I learn to accept no with strength and grace?

[Slide 16] has only large text that reads "Step 1: Accept"

[Slide 16] has only large text that reads “Step 1: Accept”

The first step to accepting gracefully is to actually accept that no was in fact the answer given. If you catch yourself doing any of the anti-pattern things, you aren’t really doing a good job at this. Consider the lady who wouldn’t take no for an answer and kept asking me “couldn’t you just…” — if she’d been able to accept the no, we could have had time to help her find a better solution. But instead, the whole experience left me frustrated, exhausted, and telling my friends cautionary tales about the experience. This was a bad outcome for both of us, and for the people she wanted to help.

[Slide 17] has only large text that reads "Step 2: Listen:

[Slide 17] has only large text that reads “Step 2: Listen:

The second step is to listen. If you’re convinced this was the right choice, take time to find out why the answer was no. Be prepared to have that answer challenge your assumptions. One of the things I do at work sometimes is review open source libraries to see if they have good enough security hygiene for inclusion in our products, and I get a lot of push back when I tell people they need to choose a better library. They’ve made assumptions that don’t match up with my metrics, and the only way for them to learn to make better choices and thus get products to market faster is to learn what assumptions are leading them to poor decisions.

[Slide 18] has only large text that reads "Step 3: Plan"

[Slide 18] has only large text that reads “Step 3: Plan”

The last step is to form a new plan. You might be able to do this with the help of the person who said no, but you shouldn’t assume that — No means no, folk. If you want to be a great leader, you need to take responsibility for finding a new plan if you want the thing to be done.

[Slide 19] reads "But I don't want to get a no" with emphasis on the words "don't want"

[Slide 19] reads “But I don’t want to get a no” with emphasis on the words “don’t want”

But I don’t want to get a no.

[Slide 20] reads "But I can't afford to get a no" with emphasis on the words "can't afford"

[Slide 20] reads “But I can’t afford to get a no” with emphasis on the words “can’t afford”

But I can’t afford to get a no.

[Slide 21] says "How do I turn no into a yes?" with no emphasized in red to evoke a "stop" and yes emphasized in green to evoke a "go"

[Slide 21] says “How do I turn no into a yes?” with no emphasized in red to evoke a “stop” and yes emphasized in green to evoke a “go”

How do I turn no into a yes?

[Slide 22] reads "If you want to turn no into yes, first consider: Am I being an asshole?" The phrase "Am I being an asshole?" is emphasized.

[Slide 22] reads “If you want to turn no into yes, first consider: Am I being an asshole?” The phrase “Am I being an asshole?” is emphasized.

If you want to turn a no into yes, first consider: Am I being an asshole? (audience at OSB laughs, pulls out smart phones to take pictures of the slide). This is a legit thing you should ask yourself pretty regularly as a community leader, actually. For example, sometimes you’ll be asking for things to be done in a way that makes them easier for you at the cost of others. Sometimes you’re just demanding that things be done the first way you thought of when that’s not the important part of the request.

[Slide 23] reads "If you want to turn no into yes, first consider: What do I really need?" The phrase "What do I really need?" is emphasized.

[Slide 23] reads “If you want to turn no into yes, first consider: What do I really need?” The phrase “What do I really need?” is emphasized.

But perhaps more usefully, ask yourself what you really need. The answer is almost certainly not “I need to irritate my valuable volunteers” but what is the answer?

[Slide 24] has an image of a hand raised as if to ask a question and reads "How do I improve my ask?"

[Slide 24] has an image of a hand raised as if to ask a question and reads “How do I improve my ask?”

So, if you’re getting a no and you want a yes, clearly you are doing something wrong in the way you ask. How can you improve your ask to get better results for your community even if you have to get a no sometimes?

[Slide 25] has a picture of a woman looking into a microscope in a scientific lab and reads "Step 1: do your research"

[Slide 25] has a picture of a woman looking into a microscope in a scientific lab and reads “Step 1: do your research”

Step 1: do your research.

[Slide 26] repeats the title from the previous slide "Step 1: do your research" and follows it with a list of questions: What do you really need? Who else can you ask? Where else can you get more information? How long will what you’re asking for actually take?  How stressful is it?

[Slide 26] repeats the title from the previous slide “Step 1: do your research” and follows it with a list of questions: What do you really need?
Who else can you ask?
Where else can you get more information?
How long will what you’re asking for actually take?
How stressful is it?

  • What do you really need?
  • Who else can you ask?
  • Where else can you get more information?
  • How long will what you’re asking for actually take?
  • How stressful is it?

[Slide 27] has a picture of two kids sharing and reads "Step 2: use your empathy"

[Slide 27] has a picture of two kids sharing and reads “Step 2: use your empathy”

Step 2: Use your empathy

[Slide 28] repeats the title from the previous slide "Step 2: use your empathy" and asks a range of questions (will appear in text below this caption) The emphasis is on the final sentence, which reads "Empathy is not about what you want, but what they want."

[Slide 28] repeats the title from the previous slide “Step 2: use your empathy” and asks a range of questions (will appear in text below this caption) The emphasis is on the final sentence, which reads “Empathy is not about what you want, but what they want.”

  • How can you make saying yes more beneficial to the person you’re asking?
    • Can you pay them?
    • Can you provide other rewards?
    • Can you make it align better with their career or life goals?
    • Can you make sure they get more thanks, recognition?
  • How can you make it easier for them to say yes?
    • Do they need childcare?
    • Do they need a better schedule?
    • Does the task need to be better-defined?
    • Could they help with something smaller?
  • Should you just leave them alone if they say no?
  • Empathy is not about what you want, but what they want.

If you don’t know how to empathize, you’re going to end up with asks that are utterly unappealing or outright insulting to the people whose help you want.

[Slide 29] has a picture of a snowy scene with my mom and her dog Buster and reads, "I'm Canadian.  People die of exposure"

[Slide 29] has a picture of a snowy scene with my mom and her dog Buster and reads, “I’m Canadian. People die of exposure”

And in a striking example of that, one thing I and many others often get offered for my time is “exposure” — I’m from Canada. My people DIE of exposure. But jokes aside, exposure is often a double-edged sword for people in your community, and you need your empathy and knowledge of your community of volunteers to know when that’s something they might want and when it’s something they want to avoid at all costs.

[Slide 31] has a title of "Step 3: make a backup plan (or several)" and a Foxtrot comic about the need to make computer backups *before* doing something on the computer

[Slide 31] has a title of “Step 3: make a backup plan (or several)” and a Foxtrot comic about the need to make computer backups *before* doing something on the computer

Make a backup plan (hopefully this will be easier with the research!) If getting a yes is really important to you, you should try to do all of these things in advance.

[Slide 32] is a summary slide described in detail below.

[Slide 32] is a summary slide described in detail below.

Refusing to take no for an answer is damaging behaviour: it contributes to burnout, denial of service, assholism.

Steps to graceful acceptance of no:

  1. Accept
  2. Listen
  3. Plan

If you really need a yes

  1. Do your research
  2. Use your empathy
  3. Make a backup plan

And do all of this before you ask if you want the best results and the happiest community. If you’re asking for something, the onus is upon you to figure out who might want to do this and find a way to make them feel great about saying yes.

Learning to accept no well and productively will make you a more effective leader.

nopetopus
Nopetopus source

Photo credits:
“Superman vs Hulk (131/365)” by JD Hancock https://www.flickr.com/photos/jdhancock/4600608792
“Talk to the hand” by Bridget McKenzie https://www.flickr.com/photos/bridgetmckenz/7822818160/
“Power tool” by Helen Cook https://www.flickr.com/photos/hvc/2681974174/
“Sleepy” by Sera Photography https://www.flickr.com/photos/seraphing/15305580251/
“Denial pack” by andres musta https://www.flickr.com/photos/andresmusta/6175939561/
“Anger” by kunkelstein https://www.flickr.com/photos/21370407@N08/2091127037
“You’d be crazy to miss these bargains” by Christian Heilmann https://www.flickr.com/photos/codepo8/1309725237
“Acceptance” by Kitty Mao https://www.flickr.com/photos/kwseah/21683299393
“Beautiful Ballerina” by Grace Trivino https://www.flickr.com/photos/graceyheartphotography/4741052547
“Raised hand” by usdagov https://www.flickr.com/photos/usdagov/22484527807/
“Sharing” by Binny V A https://www.flickr.com/photos/binnyva/8600465534
“Out for a walk in the woods” by Terriko https://www.flickr.com/photos/terrio/8304718546/

OSB 2015 – Internet of Things Militia: Paramilitary Training for your IoT devices (Video & Slides)

As previously mentioned, I gave two talks at Open Source Bridge this year, and they’ve recently put the videos online. Here’s the more frivolous and silly of the two:

Internet of Things Militia: Paramilitary Training for your IoT devices

Abstract: Security folk generally talk about how the Internet of Things is bad for security, but it also brings new sensors and connected devices that could co-operate in new and interesting ways. Could we use internet things to enhance security?

Video embedded below:

[Confreaks.tv video link] [Youtube video link]

I was honestly pretty surprised that open source bridge accepted two talks (especially when I found many colleagues who are pretty decent speakers didn’t get in!). This was a bit of a joke talk, meant to poke fun at how security people talk doom and gloom about internet of things, but also a way to talk sideways about how internet things are both terrible and terrific if you think like a hacker. I’m not sure I would have pitched this talk if I’d known that OSB audiences are notoriously quiet and not big on participation, but I was lucky enough to get a crowd who was willing to get into it and come up with some fun suggestions on how to “better” use internet things.

Remember, don’t try this at home!

[Internet of Things Militia: Paramilitary Training for your IoT devices (Slides)] To be honest, there’s not much in these other than pictures to get people talking, but you can see my notes underneath each slide to see what I was planning on saying. The slides are also in the video.

Again, one day I hope to transcribe this and put up a nice blog post with the slides for those who don’t love video, but I the perfect is the enemy of the good and all, so I’m sharing what I have instead of pining for what I don’t have done yet.

OSB 2015 – Bringing Security to Your Open Source Project (Video & Slides)

I gave two talks at Open Source Bridge this year, and they’ve recently put the videos online. Here’s the more serious and informative of the two:

Bringing Security to Your Open Source Project

Abstract: With high profile breaches in open source projects, the issue of security has become one of great import to many people. But many projects, especially smaller ones, are intimidated by the idea of a security audit. This talk will discuss ways for smaller projects to experiment, learn, and even have fun improving their security. No PhDs in security required!

Video embedded below:

[Confreaks.tv video Link] [youtube link]

I’m a bit sad that they cut out the introduction I got; it was pretty hilarious.

The motivation behind this talk is that when I tell people in open source communities that I do security for open source projects, I get a lot of interest but people always say they don’t know where to start and quite a lot of them buy into the idea that somehow just being open source makes you secure. That can be a big push towards security for some projects, but it’s not a panacea, so this talk is an intro to how to do a security hackathon and be welcoming to folk who want to help with your security.

[Bringing Security to Your Open Source Project (Slides)] The slides are in the video as well, but sometimes this is easier! If you look at the slides, you can also see a rough version of what I’d planned to say in the notes section.

One of these days I’ll transcribe the talk and set up a blog post with slides as images for folk who don’t aren’t into videos for whatever reason (I know I don’t watch very many myself unless I’m multitasking), but I thought I’d share the video first rather than wait. Hope you like it!