IEEE.org     |     IEEE Xplore Digital Library     |     IEEE Standards     |     IEEE Spectrum     |     More Sites

Commit 5f2c8a49 authored by Katie Schueths's avatar Katie Schueths 💬
Browse files

Add new file

parent 01f4d32b
# Open Source Security
Event technical Support Help Desk Mattermost Chat:
https://mm.leadingbit.com/event-support/channels/town-square
Schedule:
https://opensource.ieee.org/workshops/june-tag-workshop/20210616-tag-workshop/-/blob/main/Event%20Information/20210616-event-schedule.md
Main Page:
https://saopen.ieee.org/workshop/
Attendees:
* Raul Pineda
* Todd Higgins
* Sonia Santana
* Julia Longtin
* Melissa
* Katie Schueths
* Lisa Marie Maginnis
* Mari
Raul discussed security requirements in his work history. Going back to talk of technical debt is a little bit the same. Security legacy may have same risks. The new platform base has a some learning curve. Security through obscurity.
Julia talked about her background in open source communities. Technical debt thing creeps up too trying to get tools caught up. Online maintainer of CAD website. Do not have to worry about an many vulnerabilities now with more functional tools.
Discussion of security suites.
Julia recommended these tools: tripwire, cruft, arpwatch, MRTG, and debsums. Raul says cloudcustodian.io
Threats are changing more now. Ransomeware, crypto mining hijacks of your process power.
Real threats that could mean really bad things - bad PR, FBI coming to warn you that your traffic was coming rom security compromised spots around the world. Bad actors.
LeftPad hijack. Node.js developer had vulnerabilities.
Lisa talked about threat modules, threat actors. Identify what needs to be protected. Who, what. Reasonable security model to start with that can be improved. Know your users and know your audience. Cover your bases. Technical aspect - scan everything. Then more human targets too. Crypto mining on the cluster. We have implicit trust with our users right now. GitLab has a requirement for a credit card to verify account. IEEE has not done that.
Compliance does not mean you are secure. Find your highest points of vulnerability. It is not a trust of the people, but what could happen if someone compromised a user's credentials.
Perception of security. Realistic preparations for threats. Fear does drive policy. Threat modeling. Spend resources protecting financial and reputational assets. Prioritize where you spend your resources.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment