OSTIF is pleased to announce the completion of a security audit of Eclipse Jetty in collaboration with the Eclipse Foundation and Trail of Bits. This audit was a part of a package of work organized and managed by OSTIF to provide security engagements to Eclipse Foundation projects. With funding and full support from the Foundation, OSTIF was able to provide three projects with much-needed security oversight, analysis, and recommendations that helps projects grow stronger and more secure than before. 

In this particular case, Jetty was an excellent candidate for an audit. As a web/application server, the project handles data that can come from malicious sources, supports numerous protocols, and runs custom application code that is complex. Security of Jetty is imperative as the project is in applications run globally by millions. Audits like this are a great practice and routine to improve and harden open source projects’ security. Over time, audits help to locate vulnerabilities in code, fix issues that impact code health and security, and direct possible security work in the future to the most impactful locations. 

The Eclipse Foundation is a frequent collaborator and funder of OSTIF, and when they wanted actionable, impactful security results for their money they came to us. OSTIF will always prioritize and seize any opportunity to work directly with open source projects to help improve their security and to engage high-quality security firms to do what they do best. As an organization, our sole focus is open source projects and their security and we get to perform our best work when we are backed by organizations who believe in our mission. 

We would like to thank the Eclipse Foundation, specifically Jesse McConnell, Joakim Erdfelt, Mikael Barbero, and Marta Rybczynska for their aid in funding via the Alpha-Omega Project that made this endeavor possible. Further gratitude is extended to the team at Trail of Bits for their hard work and contributions to this audit, specifically Kelly Kaoudis, Spencer Michaels, Cliff Smith, and Sam Alws. Further thanks to Jeff Braswell as well. 

Read the full report at: https://ostif.org/wp-content/uploads/2023/10/audit-of-eclipse-jetty-ostif-trail-of-bits-2023.pdf

Learn about the experience of the Eclipse Foundation at: https://mikael.barbero.tech/blog/post/2023-10-18-eclipse-jetty-security-audit-results/

More info about the experience for the Jetty team is available on the blog at: https://webtide.com/security-audit-with-trail-of-bits/