Archive for January, 2009

Cloudmade will give a talk about the OpenStreetMap project, how open licensed geo-data is being created in an open community, and how it can be used, on 27th April 2009 from 1800 hours for the Open Source Specialist Group (OSSG) and the Geospatial Specialist Group at the BCS Central London Offices, First Floor, The Davidson Building, 5 Southampton Street, London WC2E 7HA.

To book a place to attend this event through OSSG please email your name to the events coordinator

For further information please contact Mark Elkins at mark_elkins@bcs.org

Free buffet and refreshments available.

The Annual General Meeting (AGM) of the Open Source Specialist Group (OSSG) will be held on 14th May 2009 from 1800 hours at the BCS Central London Offices, First Floor, The Davidson Building, 5 Southampton Street, London WC2E 7HA.

Please send nominations for all OSSG Committee member posts to Mark Elkins at mark_elkins@bcs.org

The procedure governing elections is set out in the OSSG Constitution at http://ossg.bcs.org/wp-content/uploads/2006/06/OpenSourceConstitutionFinal.pdf

An event TBC is due to commence immediately after the business of the AGM has been concluded.

Free buffet and refreshments available.

For further information please contact Mark Elkins at mark_elkins@bcs.org

Friday 7th (Tutorials), Saturday 8th & Sunday 9th August Conference

Venue: Birmingham Conservatoire, School of Music, Birmingham City University,
Paradise Place, Fletchers Walk, Birmingham B3 3HG

Call For Papers

Summer 2009 will take place at the Birmingham Conservatoire from Friday 7th to
Sunday 9th August. The conference this year will have a choice of conference
streams, and we are particularly keen to get other groups and projects
involved.

For more information please visit: http://summer2009.ukuug.net

Ivan Ristic will give a talk on Open Source Security for the Open Source Specialist Group (OSSG) on Monday 30th March 2009 from 1800 hours at the BCS Central London Offices, First Floor, The Davidson Building, 5 Southampton Street, London WC2E 7HA.

“Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server” www.ivanristic.com

To book a place to at this event please email your name to the events coordinator.

For further information please contact Mark Elkins at mark_elkins@bcs.org

Free buffet and refreshments available.

The following article by Ivan from http://blog.ivanristic.com/2009/03/is-that-open-source-project-secure-enough.html outlines the direction his talk is likely to take:

Is that open source project secure (enough)?

Type the words “open source security” into a search engine and you will get dozens of links to articles, blog posts, emails, forum messages, and research papers. You can try to read them all, but I don’t think you should bother. The opinions mostly fall under one of the following categories:

1. Having access to source code is better than not having access to source code.
2. Community-produced software is better than vendor-produced software.
3. The freedom to modify source code is a fundamental right of every software user.
4. Open source developers are careless, disorganised and fickle.
5. Commercial vendors only care about money.
6. Who are you going to blame when an open source product fails?
7. Open source is dangerous, but you can pay us to help you deal with it.

Most of these claims have a grain of truth in them, but they almost always miss the point in trying to distil complex realities into simple convenient truths. That just doesn’t work. The simple truth is that every single project is unique, and must be observed on its own merits. But therein lies the difficulty: how do you determine if a given software product is secure?

I know the proper answer: design an assessment methodology (or use one that already exists—the Software Assurance Maturity Model is nearing completion; Building Security In Maturity Model is expected in a week or so), then use it to make informed decisions. While this approach is suitable for academia, it is too inefficient in real life, where you need to make your decisions quickly and effectively. So what do you do?

Did I mention that I spent almost 6 years of my life working on a fairly popular open source project? In that time I struggled to use my limited resources to do what’s best for the project, security being only one of my concerns. I did reasonably well, but made many mistakes along the way. That experience (along with a similar experience in developing closed-source software) has given me an insight into what makes software developers tick and, especially, what makes open source software tick.

So I came up with an idea to avoid measuring the quality of code itself (because that’s too difficult and time consuming), instead focusing on the external manifestations of good and bad practices. I call it a Project Security Posture Review. A review might focuses on the following aspects:

1. Does the organisation follow good software development practices?
2. How are security issues handled?
3. Are there any public-facing services available (e.g. source code repository, issue tracking, wiki, etc.)?
4. Is the source code tidy?
5. Is the project mature and popular?
6. Does the project have a reputation for quality?

The idea is that you can answer most of the questions by simply looking at the project’s web site, browsing through its code and documentation, and looking at the experiences of other people with it. The obvious advantage of this approach is that it is quick, even though it may be somewhat inaccurate.

If you think the above list is, well, vague—you are absolutely right. I am currently working on a comprehensive list, which I will present during the Open Source Security talk for the Open Source Specialist Group (OSSG) on March 30th.

Over the past decade, the Open Source Software (OSS) phenomenon has had a global impact on the way organisations and individuals create, distribute, acquire and use software and software-based services. OSS has challenged the conventional wisdom of the software engineering and software business communities, has been instrumental for educators and researchers, and has become an important aspect of e-government and information society initiatives. OSS is a complex phenomenon and requires a interdisciplinary understanding of its engineering, technical, economic, legal and socio-cultural dynamics.

The goal of OSS 2009 is to provide an international forum where a diverse community of professionals from academia, industry and public administration can come together to share research findings and practical experiences. The conference is also meant to provide information and education to practitioners, identify directions for further research, and to be an ongoing platform for technology transfer

Conference Overview

The organizers are happy to announce the keynote speakers for the conference:
Stormy Peters, executive director of the GNOME Foundation; and Brian Behlendorf, founder of the Apache Software Foundation and of CollabNet.

The conference includes presentations of research papers, panels, and a poster session featuring accepted academic and industry posters.

In addition to the main OSS 2009 program, there will be a PhD consortium, workshops, and a number of formal and informal meetings. At breakfast on June 4th there will be a networking event “Women@OSS breakfast”, and at breakfast on June 5th there will be a networking event for Nordic researchers, “Nordic@OSS breakfast”.

For further information please visit: http://oss2009.org/