“Audits cost too much” We’ve seen what happens in the open source ecosystem when audits are deferred – those vulnerabilities assumed to not exist are discovered, and the aftermath is a project, community, and entire ecosystem in shambles. If you ask those authors if they made the right choice deferring…
Why OSTIF? There’s a lot of misconceptions that cause stagnation when it comes to procuring and participating in security audits. How does one even begin to get an audit, much less fund it? There is too much work involved, and not enough help from the auditors. It’s just a way…
OSTIF is proud to share the results of our security audit of Temurin. Temurin is an open source project for building high performing Java runtime binaries. With the help of Trail of Bits and the Eclipse Foundation, this project will continue to securely support users who develop Java codes across…
OSTIF is proud to share the results of our security audit of Boost. Boost is an open source provider of free portable C++ source libraries. The project aims to establish a benchmark to provide reference implementations for future C++ standards. With the help of Shielder and Amazon Web Services, Boost…
OSTIF is proud to share the results of our security audit of Kuksa. Kuksa.val is an open source vehicle abstraction layer. With the help of Quarkslab and the Eclipse Foundation, this project will continue to provide in-vehicle software components for users working with in-vehicle signals in a secure and efficient…
OSTIF is proud to share the results of our security audit of CloudCustodian. CloudCustodian is an open source rules engine for cloud infrastructure management. Thanks to the help of Ada Logics and the Cloud Native Computing Foundation, this project underwent a third-party security audit to help strengthen CloudCustodian’s security as…
OSTIF is proud to share the results of our security audit of Bref. Bref is an open source project that allows developers to go serverless on AWS with PHP. With the help of Shielder and Amazon Web Services, this project has strengthened their foundation of transparency and easy customization for…
OSTIF is proud to share the results of our security audit of cURL HTTP/3. cURL is an open source command line tool and library, the most widely used HTTP client software in the world. This engagement was for the new components of HTTP/3 in cURL. With the help of Trail…
OSTIF is proud to share the results of our security audit of Jackson subprojects. Jackson-dataformats-binary, Jackson-dataformats-text, Jackson-dataformat-xml, Jackson-datatype-joda, and Jackson-datatypes-collections are open source subprojects that contribute to Jackson (described as “JSON for Java”). With the help of Ada Logics and the Sovereign Tech Fund, these subprojects will be more secure…
The Drupal project partnered with OSTIF for a series of audits on key technology to support supply chain security for automatic updates. Specifically, the PHP-TUF client-side library and its server-side Rugged counterpart underwent a security audit by Include Security organized by OSTIF. The Update Framework (or “TUF”) is a cryptographically-secure…