Black Hat , Events , Next-Generation Technologies & Secure Development
Open-Source Security: Shining the Spotlight on Development
Eclipse Foundation's Marta Rybczyńska on Best Practices for Vulnerability ReportingSecuring open-source software poses a significant challenge for industry experts who must contend with a vast variety of programming languages and technologies used to develop open-source projects, along with the equally diverse attack routes available to threat actors for exploiting vulnerabilities.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
Marta Rybczyńska, technical program manager at Eclipse Foundation, explained how security professionals should approach vulnerability reporting. She recommended outlining specific guidelines for researchers in a security.md
file to ensure confidentiality and prevent potential exploits from reaching public channels.
"The most important thing will be training of the development teams on security processes," she said. "There should be someone looking at those reports, analyzing them, triaging, finding people who are going to make the fix, and communicating with the security researchers to give them information on where we are in the process."
In this interview with Information Security Media Group at Black Hat Europe 2023, Rybczyńska also discussed:
- The need for clear communication between security researchers and developers;
- Eclipse Foundation's current priorities, including automating security management for its extensive project portfolio;
- The evolving role of AI in identifying and remediating vulnerabilities in open-source software.
Rybczyńska has 20 years of experience in network security and open-source software. She is the founder of Syslinbit, an open-source consulting company. Her expertise spans embedded development, Linux kernel architecture and contributions to various open-source projects.