SOSS Community Day Europe 2024

GitLab's mission is to enable everyone to contribute to and co-create the software that powers the world. That software must be secure.
Open source plays a crucial role in addressing security risk through transparency and community efforts. By having source code publicly available, a wider community from various different background can inspect, identify, and fix vulnerabilities in a timely manner.
Other open source practices help increase security, too. Things like:

• Collaborative Verification
• Security Auditing
• Security tool Development
• Contributions to security initiatives
• Vulnerability Reporting and Resolution
• Education and Best Practices

Using examples of these practices from GitLab and other open source projects, let's talk about how we can move open source security forward together.

Only a few weeks ago we saw how dangerous kernel-level changes can be, as IT infrastructure around the world was brought down by an update to a widely-used security tool. Does this mean the kernel is too dangerous for vendors to be allowed to access? In this talk we’ll consider how eBPF and its open source provenance can enable powerful and high performance security tools, without exposing users to the same risk of kernel bugs and their consequent outages.

DON’T PANIC! Grab your towel and come along for a tour of the crazy acronyms that makes up the Vulniverse! Finding, fixing, and sharing vulnerabilities is a challenge on the easiest of days. Mix in all of the standards, formats, channels, and personalities, it can feel like an insurmountable hill to climb every day. Don’t despair, the Vulniverse Alphabet Soup Guide is here to help make things a little less confusing! Learn about the foundational elements used within Coordinated Vulnerability Disclosure (CVD) by Product Security & Incident Response Teams (PSIRTs), Security Researchers, Computer Emergency Response Teams (CERTs), and Corporate Incident Response & Security Teams (CSIRTs) to help describe and communicate information about security vulnerabilities in hardware and software. Learn about how formats such as CVE (Common Vulnerability & Exposures CVE), CVSS (Common Vulnerability Scoring System), Common Weakness Enumeration (CWE), and newer items like Vulnerability EXchange (VEX) all have vital parts to play helping get information and fixes in the hands of software and hardware consumers! After this, YOU’LL be a Vulnerability Babblefish!