Over the past year, OSTIF worked with 10 projects to complete third-party security audits with funding supplied by AWS and the EF. The engagement oversaw 24 new or existing tools developed to monitor open source projects, and over 88 vulnerabilities found and fixed including 19 rated High or Critical severity. That’s just the beginning.
Thanks to this global coalition AWS, the Eclipse Foundation, and OSTIF were able to improve and sustain efforts supporting open source projects’ security health and by extension, help the community and users alike. Security audits are a valuable tool to help projects not only find and address security weaknesses and vulnerabilities, but also aid maintainers in their security knowledge and experience around their specific project. Audits address multiple factors that influence the overall health of a project- documentation, architecture, and supply chain security for example. Engagements like security audits do more than just generate numbers and problems- they solve issues and promote behaviors that enable the healthiest lifecycle possible for a project.
We would like to specifically thank David Nalley, Aaron Leung, and Mikael Barbero for their hard work on behalf of us and all open source software security efforts. Further thanks to the teams who worked with us: Trail of Bits, Include Security, and X-41 DSec for their dedication and handiwork across these 10 projects. Finally, once more, we would like to thank the organizations of the Eclipse Foundation and AWS for their support and funding.
Read the report HERE