Reasons Why Most Audits are Still Waiting

“Audits cost too much” We’ve seen what happens in the open source ecosystem when audits are deferred – those vulnerabilities assumed to not exist are discovered, and the aftermath is a project, community, and entire ecosystem in shambles. If you ask those authors if they made the right choice deferring…

Continue ReadingReasons Why Most Audits are Still Waiting

CloudCustodian Audit Complete!

OSTIF is proud to share the results of our security audit of CloudCustodian. CloudCustodian is an open source rules engine for cloud infrastructure management. Thanks to the help of Ada Logics and the Cloud Native Computing Foundation, this project underwent a third-party security audit to help strengthen CloudCustodian’s security as…

Continue ReadingCloudCustodian Audit Complete!

Audit of Jackson-Dataformats and Jackson-Datatypes Complete

OSTIF is proud to share the results of our security audit of Jackson subprojects. Jackson-dataformats-binary, Jackson-dataformats-text, Jackson-dataformat-xml, Jackson-datatype-joda, and Jackson-datatypes-collections are open source subprojects that contribute to Jackson (described as “JSON for Java”). With the help of Ada Logics and the Sovereign Tech Fund, these subprojects will be more secure…

Continue ReadingAudit of Jackson-Dataformats and Jackson-Datatypes Complete

OSTIF joins the Sovereign Tech Fund’s Bug Resilience Program

The Sovereign Tech Fund and the Open Source Technology Improvement Fund (OSTIF) are collaborating upon multiple security reviews for open source projects. As part of STF’s Bug Resilience Program, we are organizing and providing projects that are rooted in infrastructure with audits and engagements to reduce their open and undiscovered…

Continue ReadingOSTIF joins the Sovereign Tech Fund’s Bug Resilience Program

PHP-TUF Audit Complete!

The Drupal project partnered with OSTIF for a series of audits on key technology to support supply chain security for automatic updates. Specifically, the PHP-TUF client-side library and its server-side Rugged counterpart underwent a security audit by Include Security organized by OSTIF. The Update Framework (or “TUF”) is a cryptographically-secure…

Continue ReadingPHP-TUF Audit Complete!