Open Source Technology Improvement Fund, Inc is happy to announce the results of the CloudEvents Security Assessment. CloudEvents is a specification for describing event data in a common way that simplifies event declaration and delivery across services, platforms, and beyond. CloudEvents has a robust network of contributors and active development as part of the Cloud Native Computing Foundation. 

The Security Assessment took place in September 2022, in which a team of two experts conducted a security review, with four person-weeks of effort. A combination of testing was performed, including dynamic and static analysis of the SDKs and manual review of the specification.

The goal of security audits is to find vulnerabilities so they can be fixed before attackers exploit them, as well as to identify opportunities to harden a project’s implementation and processes to counter vulnerabilities in the future. The CloudEvents Assessment did not uncover any significant flaws or defects that could impact system confidentiality, integrity, or availability. 

The notable findings in the review were that some of the SDKs were using outdated dependencies that needed critical security updates, leaving some of them with multiple outdated and vulnerable dependencies. This is a common problem in software, and highlights the importance of better dependency management.  The deps.dev tool provides insight on project dependencies. Furthermore, the CloudEvents Assessment highlighted the need for adding fuzzing tests to SDKs and potentially adding various SDKs to the OSS-fuzz project. 

Third-party Security Audits are an important tool for improving a project’s security posture. CloudEvents joins a long list of projects that have undergone audits in 2022. 

Thank you to Cloud Native Computing Foundation for funding the audit and entrusting OSTIF to manage it. A big thank you to Doug Davis for collaborating with the audit team. Lastly, thank you to Trail of Bits for performing the work. 

For full details on this engagement, see the full report here: https://ostif.org/wp-content/uploads/2022/11/CloudEvents.pdf

Trail of Bits also publishes all of their public work to their Github here: https://github.com/trailofbits/publications/tree/master/reviews

The direct link to the full report is also hosted on the Trail of Bits Github here: https://github.com/trailofbits/publications/blob/master/reviews/CloudEvents.pdf