Falco joins a growing number of CNCF Projects that completed a third-party security audit organized by OSTIF. A follow up to their 2019 audit, the Falco project requested a new engagement due to changes in the code base since. OSTIF partnered with Quarkslab to complete the audit. An overview of the results along with a link to the report can be found below. 

“Security audits are a good practice for projects especially as their communities and users grow. The CNCF maturity model is a good example of using policy and a strong support network to help projects improve their security posture. It’s an especially good practice to do follow-on audits as projects implement new code and features. I commend the Falco team for their efforts and commitment.”

  • Amir Montazery, Managing Director of OSTIF. 

“The Falco community is composed of information security experts that are passionate and committed to making all aspects of the project as secure as possible at every level. It has been a pleasure working with OSTIF and Quarkslab to not only assess the current level of security but to also design the most effective strategies to continuously verify and improve the security properties of the project. We are especially impressed by the depth and quality of the analysis performed and the clear and smooth communication from the team.”

  • Luca Guerra, Falco Core Maintainer, Open Source Engineer at Sysdig

As found in the report, “The goal of the audit was to assist the Falco maintainers to increase their security posture using static and dynamic analysis. Falco maintainers required an emphasis on fuzzing. To that end, Quarkslab’s engineers researched multiple topics to provide recommendations and relevant advice. In addition, Quarkslab’s engineers assessed the code in order to find some issues, using automated testing tools, fuzzing, or just by manually reviewing the code base.” 

The engagement included a threat model along with Static and Dynamic analysis and mainly uncovered 1 Medium and a number of low and informational findings.

After reviewing the report findings, Falco maintainers and contributors worked to address all the issues identified, enhance static and dynamic analysis pipelines and track longer term tasks. The overall goal is to establish continuous improvement projects to maintain the highest security standards in the codebase.

The Falco release team that worked on the 0.34.0 release and 0.34.1 patch release based on Falco Libraries 0.10.3 and 0.10.4 addressed all medium and low severity findings, along with informational findings as well. Details on the issues, credits, patches and affected versions are tracked in the relevant repository’s Security Advisories.

Continuously assessing the security of the codebase and making sure that potential weak points are caught and fixed early in the development process is extremely important for Falco maintainers and contributors; according to the report recommendations the static and dynamic analysis steps automatically performed have been enhanced, with more additions planned. For instance:

  • CppCheck has been added to the Falco repository alongside other static analysis tools already present;
  • Semgrep has been added to the Falco Libs repository to prevent potentially dangerous functions from being introduced by contributors and enable more security focused checks in the future;
  • The use of AddressSanitizer, LeakSanitizer and similar tools has been extended to end to end testing to further improve memory leak, memory corruption, and error detection.

The Falco community is also tracking new ideas for more ways to integrate additional static analysis, memory leak, and memory error detection.

Falco maintainers have also greatly appreciated the work that the Quarkslab team has done on fuzzing and dynamic analysis. The report reveals that building a robust fuzzer for Falco is a challenging task, and the Falco community intends to work on it based on the expertise shared in the report.

We thank Leonardo Grasso, Jason Dellaluce, Luca Guerra, and the rest of the Falco team for contributing time to collaborate with the audit team. Furthermore a big thank you to Mahé Tardy, Laurent Laubin, Victor Houal, and Ramtine Tofighi Shirazi for their diligent work.

The full report can be found here: https://ostif.org/wp-content/uploads/2023/03/Falco-Security-Audit-Quarkslab-2023.pdf