OSTIF is proud to share the results of our security audit of CloudCustodian. CloudCustodian is an open source rules engine for cloud infrastructure management. Thanks to the help of Ada Logics and the Cloud Native Computing Foundation, this project underwent a third-party security audit to help strengthen CloudCustodian’s security as well as fulfill a requirement for graduation. 

Audit Process:

First in the process of this audit was the development of a threat model of CloudCustodian. Ada Logics outlined and followed the components in scope and policies of the project to see CloudCustodian’s functionality at work. That process outlined the attack surfaces and attacker objectives possible. Having illustrated and detailed CloudCustodian’s data flow with a formal threat model, the audit team began evaluating the source code. Notably, the threat model was further refined during the following work. 

Whilst auditing CloudCustodian’s source code, Ada Logics also worked on developing a suite of fuzz tests for the validation, processing, and parsing routines of class methods that process input. Additionally reviewed was CloudCustodian’s software development life cycle by SLSA standards. 

Audit Results:

  • 10 Findings with a Security Impact
    • 2 Medium, 6 Low, 2 Informational
  • Detailed Threat Model of Cloud Custodian
  • Developed and Integrated a Fuzzing Suite for CloudCustodian
    • 11 New Fuzzers
    • Integrated into OSS-Fuzz 
  • SLSA analysis of CloudCustodian

OSTIF wishes CloudCustodian the best on its path towards Graduation through the CNCF Incubating Projects Program. Third-party security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles.

Thank you to the individuals and groups that made this engagement possible:

  • CloudCustodian maintainers and community, specifically Kapil Thangavelu
  • Ada Logics- Sheung “Arthur” Chi Chan, Adam Korczynski and David Korczynski
  • The Cloud Native Computing Foundation

You can read the Audit Report HERE

You can read CloudCustodian and CNCF’s Blog HERE

You can read Ada Logic’s Blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].