OSTIF is proud to share the results of our security audit of Backstage. Backstage is an open source framework for developer portals. With the help of X41D-Sec and the Cloud Native Computing Foundation (CNCF), this project can continue to provide quick and secure development environments.
Audit Process:
This audit was undertaken with the help of folks on the Spotify Engineering team in collaboration with the team at X41D-Sec. Performing manual review with code analysis tools, the audit team focused on the core code of the project. As Backstage is complex and deeply ingrained in development for many services and applications, frequent auditing is important to ensure consistent security measures are maintained.
The engineering team working on Backstage’s audit was incredibly helpful and active, and there is a release available to users with fixes for all the reported issues in this audit.
Audit Results:
- 4 Issues with Security Impact
- 3 High, 1 Medium
- Additional 7 Informational Findings
- 3 CVEs
This was the second audit with OSTIF and X41 for Backstage, underlining the point that audits are an ongoing process that make the most impact on projects when they are properly timed and executed. The previous audit reported 12 security findings with an additional 15 informational recommendations, so this secondary audit shows a 66.6% reduction in security findings and over 50% reduction in informational findings.
Thank you to the individuals and groups that made this engagement possible:
- Backstage maintainers, community members, and users
- X41D-Sec: Ali Basma, Eric Sesterhenn, JM, Markus Vervier and Yassine El Baaj
- The Cloud Native Computing Foundation
You can read the Audit Report HERE
You can read X41’s Blog HERE
You can read Backstage’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].