For the past 4 years, OSTIF has run a Managed Audit Program for the CNCF. We’ve audited 33 projects in that time, working with maintainers all over the world to reinforce the security health of cloud native open source for billions of end users. Security audits are an effective, sustainable…
OSTIF is a proud participant in the Sovereign Tech Agency's Sovereign Tech Resilience Program. Outside of that work, we've also been funded to carried out ad hoc security engagements on critical open source software. Funding security solutions that are quantifiable, sustainable, and verifiable is an important part of the Sovereign…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of conda-forge. conda-forge is a community-driven open source repository of conda package manager recipes. With the help of 7ASecurity and the Sovereign Tech Agency, this project has invested in its longevity and security health…
OSTIF is proud to share the results of our 2024 security audit collaboration with the Cloud Native Computing Foundation (CNCF). Over the past three years, OSTIF and the CNCF have worked together to provide security audits for CNCF projects. These projects, as a part of the CNCF landscape, must undergo…
OSTIF is proud to share the results of our security audit of OperatorFabric. OperatorFabric is an open source industrial platform for utility operations. With the help of Quarkslab and Linux Foundation Energy (LF Energy), this project will continue to provide secure, centralized business operations for users and high-quality service to…
OSTIF is proud to share the results of our security audit of SEAPATH. SEAPATH is an open source project hosted by Linux Foundation Energy (LF Energy) that consolidates clusters of servers for energy and power management across substations at the utility level. With the help of Ada Logics and LF…
OSTIF is proud to share the results of our security audit of CloudCustodian. CloudCustodian is an open source rules engine for cloud infrastructure management. Thanks to the help of Ada Logics and the Cloud Native Computing Foundation, this project underwent a third-party security audit to help strengthen CloudCustodian’s security as…
OSTIF is proud to share the results of our security audit of Bref. Bref is an open source project that allows developers to go serverless on AWS with PHP. With the help of Shielder and Amazon Web Services, this project has strengthened their foundation of transparency and easy customization for…
OSTIF started performing security audits in earnest in 2018, tackling a new level of involvement open source security. That same year was OSTIF’s first collaboration with security firm Trail of Bits, working together to complete an audit of RandomX. Since then our two companies have worked together on 12 security…
OSTIF is proud to announce the publication of a security audit on the Kubernetes cluster tooling Flux in collaboration with Trail of Bits. Performed over four engineer weeks, this is the second security audit with OSTIF that Flux has undertaken, the first having taken place in November 2021. Repeated security…