OSTIF has been working with the Open Source Security Foundation’s Securing Critical Projects working group to help identify critical pieces of infrastructure that require focused security attention.
Symfony, a widely used PHP framework has consistently been near the top of multiple reports, underscoring the criticality of the project to the open source community. It also appears on the OSTIF Managed Audit Program 25, a doc that pulls data from multiple sources to develop a high priority list of projects to consider for security review and free consulting.
When the opportunity for a grant arose, OSTIF hand picked Symfony as the project of choice for the proposed budget. Symfony represents a cross-section of criticality, complexity, and visible security practices that make the project an ideal candidate for benefiting from our free auditing services. The OpenSSF technical advisory committee, the governing board, and the budget committee all approved the project, which gives OSTIF another exciting opportunity to showcase the value of our work to the world.
As this project progresses, we will work with our security teams to create the most effective scope for the budget that we have, work with the project maintainers to set up clear communication and to share their any concerns that they have about components or areas of code that they might find problematic, and guide them through the audit process and resolution.
When the project completes, we will post the results here, and on multiple services that aggregate audit information for easy access.