Open Source Technology Improvement Fund (OSTIF) is beyond proud to announce the completion of our 50th security audit. Since 2015, the nonprofit organization has worked to provide actualized security support to open source projects in a way that is transparent, public, and impactful. We work with open source projects that…
OSTIF is proud to announce the publication of the security audit of nvm in collaboration with 7ASecurity! nvm is a version manager for node.js, which works on any POSIX-compliant shell for Linux, Mac, and Windows. For this audit, 7ASecurity performed a whitebox security review and penetration testing upon the open…
OSTIF is happy to announce the completion of Knative’s security audit. The audit covered the core sub projects of Knative: Eventing, Serving and Pkg with minor focus on Knative extensions, Func and Security-Guard. The audit was a holistic audit, covering different aspects of Knative’s security including threat modeling, manual code…
Open source project Kyverno completed a security audit by OSTIF and Ada Logics in the fall of 2023 in continued partnership with the CNCF. This engagement was organized to be a holistic review of the Kubernetes policy engine, including threat modeling, manual code auditing, fuzzing and supply-chain review. The security…
Open source project Mosquitto underwent a security audit with OSTIF and Trail of Bits in collaboration with the Eclipse Foundation. The project, which is a message broker for the MQTT protocol, is designed to connect the Internet of Things. Projects that are open to the internet have increased landscape exposure…
OSTIF is pleased to announce the completion of a security audit of Eclipse Jetty in collaboration with the Eclipse Foundation and Trail of Bits. This audit was a part of a package of work organized and managed by OSTIF to provide security engagements to Eclipse Foundation projects. With funding and…
OSTIF and wasmCloud collaborated with Trail of Bits on a security audit of the application which is a deployment platform for distributed Wasm application development. The engagement priorities are listed as, but not limited to: wasmCloud sandboxing capabilities of user-provided code, if users were appropriately limited in their accessible features…
OSTIF and X41-Dsec collaborated with OpenSearch on a security audit on v. 2.8.0 of the open source search engine. As a search engine, this project handles sensitive data and therefore security is of utmost importance to project users, maintainers, and community. The main objective of this security audit was to…
OSTIF and Trail of Bits coordinated and executed a security audit of Eclipse JKube, an Eclipse Foundation project. Eclipse JKube is an assembly of plugins and libraries for building container images using Docker, JIB or S2I build strategies. The project escorts Java applications to Kubernetes and OpenShift by forcing through…
This summer, over four engineer weeks, Trail of Bits and OSTIF collaborated on a security audit of DragonFly. A CNCF Incubating Project, DragonFly functions as file distribution for peer-to-peer technologies. Included in the scope was the sub-project Nydus’s repository that works in image distribution. The engagement was outlined and framed…