OSTIF is proud to share the results of our security audit of Bref. Bref is an open source project that allows developers to go serverless on AWS with PHP. With the help of Shielder and Amazon Web Services, this project has strengthened their foundation of transparency and easy customization for developers. 

Audit Process:

The Shielder audit team first reviewed the most critical areas of the library with manual static analysis before utilizing tooling to de-bug input from AWS to Bref. Additionally, differential analysis was performed on event-to-PHP object conversions and in reverse. This was to confirm the veracity of the conversions, as the project is designed to be transparent to developers and any unpredicted output could lead to undefined behaviors. 

Audit Results:

  • 5 findings with security impact- 80% fixed
    • 2 Medium severity
    • 3 Low severity
    • List of relevant exploit scenarios
  • Short-Term Recommendations based on Bref’s current status
  • Long-Term Improvements suggested to continue Bref’s testing regime 

Security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. Noted in the audit report is that Bref is well-developed, with many best security practices already utilized and in the correct place. 

Thank you to the individuals and groups that made this engagement possible:

  • Bref maintainers and community- notably Mattieu Napoli
  • Shielder- Abdel Adim “Smaury” Oisfi, Pietro Tirenna
  • Amazon Web Services

You can read the Audit Report HERE

You can read Shielder’s blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].