Open source project Kyverno completed a security audit by OSTIF and Ada Logics in the fall of 2023 in continued partnership with the CNCF. This engagement was organized to be a holistic review of the Kubernetes policy engine, including threat modeling, manual code auditing, fuzzing and supply-chain review. The security…
Open source project Mosquitto underwent a security audit with OSTIF and Trail of Bits in collaboration with the Eclipse Foundation. The project, which is a message broker for the MQTT protocol, is designed to connect the Internet of Things. Projects that are open to the internet have increased landscape exposure…
OSTIF is pleased to announce the completion of a security audit of Eclipse Jetty in collaboration with the Eclipse Foundation and Trail of Bits. This audit was a part of a package of work organized and managed by OSTIF to provide security engagements to Eclipse Foundation projects. With funding and…
OSTIF and wasmCloud collaborated with Trail of Bits on a security audit of the application which is a deployment platform for distributed Wasm application development. The engagement priorities are listed as, but not limited to: wasmCloud sandboxing capabilities of user-provided code, if users were appropriately limited in their accessible features…
OSTIF and X41-Dsec collaborated with OpenSearch on a security audit on v. 2.8.0 of the open source search engine. As a search engine, this project handles sensitive data and therefore security is of utmost importance to project users, maintainers, and community. The main objective of this security audit was to…
OSTIF and Trail of Bits coordinated and executed a security audit of Eclipse JKube, an Eclipse Foundation project. Eclipse JKube is an assembly of plugins and libraries for building container images using Docker, JIB or S2I build strategies. The project escorts Java applications to Kubernetes and OpenShift by forcing through…
This summer, over four engineer weeks, Trail of Bits and OSTIF collaborated on a security audit of DragonFly. A CNCF Incubating Project, DragonFly functions as file distribution for peer-to-peer technologies. Included in the scope was the sub-project Nydus’s repository that works in image distribution. The engagement was outlined and framed…
In May and June of 2023, OSTIF and ADA Logics worked with the open source project Dapr on a holistic security audit. The Distributed Application Runtime (or Dapr) is a project for building distributed applications across cloud and edge. It is an easy, portable, and serverless way to build sustainable…
Crossplane underwent a successful third party security audit by ADA Logics with the support of Open Source Technology Improvement Fund (OSTIF). Used by firms such as JP Morgan, Time Warner, and MIT Lincoln Lab, the project is considered Incubating at CNCF. Over the first half of 2023, the multi-cloud control…
Open Source Technology Improvement Fund (OSTIF), K-9 Mail, and 7ASecurity collaborated on a security audit of the Mozilla K-9 email application. K-9 is an open source email application and runs on most Android phone systems. Ideally, the application is reliable, intuitive, and secure to use. Not only critical to Android…