Session Description

The security landscape is ever-evolving; as threats emerge and best practices shift, open source projects must balance backwards-compatibility and their own volunteer-driven nature against the practical needs of modern security. For Apache Solr, a project that began without built-in authentication or authorization, this journey has been particularly instructive.

This talk traces the evolution of security in Apache Solr from its early days through the present. We’ll examine the major inflection points that shaped the project’s security posture: the introduction of a pluggable authentication and authorization framework, the consideration of alternatives like Apache Shiro, formative CVE reports that exposed critical vulnerabilities, and significant deprecations like the Data Import Handler (“DIH”) that sacrificed popular features for security. Along the way, we’ll discuss the community processes and dynamics involved in each decision, along with the trade-offs of major choices (e.g. breaking changes vs. user safety).

By the end of this talk, attendees will understand how security priorities have evolved in a major open source project and gain insights and examples (both good and bad!) to take back to their own applications and projects.