The insecurity of the free & opensource software


While arguing which is the best, between open source and closed source software, from a security perspective, it is more or less always the case that the first one is believed to be better, because “the software can be scrutinized”.
While in theory this is true, the reality is quite different. In fact, a lot of companies associate “opensource software” as “something that we can use to earn money without paying”. This lead to products, full of opensource solutions (e.g.: programs, libraries, etc…) that are supported only by amazing volunteers who put huge effort in those project but that, due to lack of support and knowledge, are not able to evaluate and improve the security of what they are providing. At the very same time, those companies sell millions of vulnerable devices (IoT, embedded, medical, etc…) around the world, without even thinking to support the volunteers.
Last but not least, a lot bug hunters are more attracted by paid bounties, leaving those projects on their own.
During the talk I would like to share some details about this condition, explaining why normal (e.g. unit) testing is not enough to guarantee the security of a product. Even “automated security testing” techniques, such as fuzzing, will be demystified during the talk.
The goal of the talk is to try to rise the awareness about these problems, both for volunteers and for companies using open source software.