OSTIF is proud to share the results of our security audit of OperatorFabric. OperatorFabric is an open source industrial platform for utility operations. With the help of Quarkslab and Linux Foundation Energy (LF Energy), this project will continue to provide secure, centralized business operations for users and high-quality service to the energy and water industries.
Audit Process:
Quarkslab auditors performed a whitebox audit of dynamic and static analysis on the OperatorFabric project. The intent of this engagement was to ascertain vulnerabilities, assess and reduce risk levels, and generate recommendations based on the findings. Guided by the threat model developed during the audit, Quarkslab outlined possible attack scenarios and weaknesses for the project to consider in current and future security efforts.
Audit Results:
- 5 Findings with Security Impact
- 1 Critical
- 1 High
- 3 Low/Info
- Custom Threat Model
- Analysis of 17 dockers in OperatorFabric environment
Two high impact vulnerabilities were identified in this engagement, both relating to path processing. While this did place OperatorFabric under the category of “Insufficient Security” in Quarkslab’s security ranking matrix, the report quickly adds qualifiers to this ranking as it applies to the project. The audit team states that no vulnerabilities found are able to be executed without authentication. Furthermore, the project’s code is clean, easy to audit, and indicates that maintainers take security efforts seriously (for example, performing automated scanning of dependencies).
Thank you to the individuals and groups that made this engagement possible:
- OperatorFabric maintainers and community- specifically Frédéric Didier and Clément Bouvier-Neveu
- Quarkslab- Vadim Mika, Lucas Laise, Mickael Mestouri, Pauline Sauder, Matthieu Ramtine Tofighi Shirazi
- LF Energy- John Mertic and Dan Brown
You can read the Audit Report HERE
You can read the LF Energy Blog HERE
You can read Quarkslab’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].