The OSTIF Difference

The OSTIF Difference

OSTIF’s holistic security solution has a proven track record that directly supports open source projects. OSTIF demonstrates the highest performance per dollar for directly sourcing security resources to open source projects, which has resulted in significant and sustained improvements. 

What we do

We offer direct comprehensive support to open source project maintainers and communities by championing the security audit process from start to finish. 

Why it Matters

Open source technology IS critical infrastructure. There has never been a better time to come together and take responsibility for open-source technology. Supporting OSTIF with funding is one of the most effective ways to directly improve the security posture of open source projects in the ecosystem. 

OSTIF’s process is designed to reduce headaches and be a lightweight but highly impactful exercise for the open source communities behind the projects. We facilitate the audit process from start to finish on behalf of and to support the open source project maintainers and contributors. 

OSTIF Enables Access to

• Highly experienced security researchers – people who understand how open source communities work. 
• The spectrum of OSS- from underfunded, undersupported, outside of the commons projects to some of the biggest open source projects in the world.
• Mediation by renowned and experienced open source security and community experts.

Direct Benefits of Security Audits to project communities, Based on OSTIF Experience.

• Developing or augmenting a threat model.
• Classifying and resolving bug backlogs.
• Help closing bugs found during the process of the engagement. 
• Tuning up current fuzzers or developing new ones. 
• Valuable advice on security concerns or issues.
• Options of static, dynamic, or manual code testing.
• Implementing best practices by performing tests or qualifying for certification.

Other Orgs	Why OSTIF is Different
Large Security Firms	We work with a deep network of researchers and professionals, most of which are dedicated solely to open source security specializations.
Technology Companies	We are dedicated to navigating the complexities of security audits and producing results efficiently.
Foundations	We focus solely on improving the security of open source projects and have a proven method for doing so.

 

What sets us apart

• End-to-End Service: Onboarding, Scoping, Bidding Process, Team Selection.
• Teams are all specialized and matched based on specific security disciplines.
  • Example 1: llvm – lead researcher on the project got their PhD on llvm research and is a top contributor to OSSFuzz. 
  • Example 2: OpenSSL – cryptographer who worked on the project was on one of the finalist teams in the NIST SHA3 competition. 
• All OSTIF Engagements are led by Senior Researchers with RELEVANT experience in open source. 
• Transparency and Publishing Our Work for Peer Review and Advancement. 
• Process is designed to be a lightweight exercise for maintainers/contributors. 
• Significantly Higher “Hit Rate” for Finding and Fixing Severe Vulnerabilities
  • Research supports this

Difference between Bug Bounty program vs OSTIF Security Audit

Time is money- and bug bounties typically have a huge problem with wasting maintainers’ time. 

Audits quickly triage “low hanging fruit” as well as address severe vulnerabilities to eliminate time wasted by OSS maintainers. Furthermore, a bug bounty has no guarantee of quality and more often than not, and especially as AI bug bounties emerge, flood maintainers with noise and waste their time. 

An OSTIF audit means that you have security experts discovering and responding to pertinent findings as they are found, bearing the weight normally pushed onto the project maintainers. 

Why we do it

Projects need an independent entity to champion the security audit process from start to finish. By serving as a trusted third party advisor and facilitating and managing the security audit, supporters benefit via Cost Savings and Quality Assurance. In order to be successful, third party audits need a dedicated team monitoring the process- we aim to be a trusted, reputable firm whose results speak for themselves. 

What we leave behind – After Effects

• Improved Security Practices
  • This has been evidenced by multiple open source projects that have undergone multiple security audits over the project’s lifetime. Iterations do yield benefits (new features, re-engineering, etc), but evidence of improved security posture via less severe findings due to improvements to code and testing practices is present. 
• Contacts with experience working with your project’s security.
• Improved security testing infrastructure
  • Examples include:
    • Fuzzing
    • Semgrep
    • CI/CD Integration
    • Documentation 

Sample of Projects that have undergone 2 OSTIF audits: 

• Curl
  • Audit 1: https://ostif.org/the-ostif-audit-of-curl-with-trail-of-bits-is-complete/
  • Audit 2: https://ostif.org/curl-audit-complete/
• Flux
  • Audit 1: https://ostif.org/our-audit-of-flux2-is-complete/
  • Audit 2: https://ostif.org/flux-audit-complete/

Value Proposition We direct high-quality security work to help improve open source projects at competitive rates with fully transparent results without levying an undue burden on contributor and maintainer communities.

• Direct benefits to open source project communities
• Addressing technical debt and security needs through possible testing, threat modeling, application of best practices, and support to help fight issues. 

Pain Points Alleviated

• Assisting OSS Projects through the Security Audit process to a high degree of quality and cost control. 
• Lending Organizations and Foundations who want secure OSS software a hand by managing security audit programs of diverse projects. 
• Helping source security partners and experts in OSS. 
• Facilitating projects with resources ranging from fundraising to administration to project management. 

What a partner foundation has said about OSTIF: 

“OSTIF streamlines the initiation of security audits by assisting us in defining the audit’s scope relative to our budget and eliminating the challenging task of seeking appropriate partners.”

What a leading cloud open source foundation has said about OSTIF: 

“As open source permeates every industry and technology across the world, it’s of utmost importance to ensure high quality security practices for critical projects. We are proud of our high impact partnership with OSTIF that has yielded multitudes of security improvements across some of the most widely used cloud native open source projects.”

What a leading cloud infrastructure provider organization has said about OSTIF: 

“Congratulations to OSTIF on the diligent work completing the list of 2023 security audits. Thoroughly reviewing the systems and processes of widely used open source projects is crucial for identifying risks and ensuring the creation of a secure and sustainable environment, primed for innovation.

I commend everyone involved for their commitment to building safer infrastructure through these essential audits, as the diligent work allows us to take appropriate steps to make these systems more secure for our customers.”

What project maintainers and contributors have said about OSTIF: 

• “OSTIF and the firm they retained were extraordinarily helpful and thorough. The engineers involved were very willing to consider maintainer points of view, and were also quite persuasive – some flags they raised turned out to be nothing, and some turned out to be issues that were more important than they initially seemed, so it was great to surface the best answer with enthusiastic discussion.”
• “Thanks to our collaboration with OSTIF, we’ve been able to improve and validate our security posture. Working with OSTIF not just once, but twice, has been an outstanding experience and we look forward to future collaborations to further strengthen our security efforts.”
• “OSTIF helps ensure right focus on priorities by taking away the painstaking task of finding the right partners, project management responsibilities and ascertaining mutually agreeable modus operandi between parties involved.”
• “OSTIF has a strong understanding of how open source projects operate and we really appreciated that they were able to jump in and help us coordinate an audit.” 
• “OSTIF were great partners that made the process of doing the audit a breeze and provided a helpful guiding hand. We really appreciated their professionalism and expertise. I can confidently say that we plan on working with OSTIF again.”

Case Study: Eclipse Foundation

The Eclipse Foundation had a budget of $150,000 for security audit work. OSTIF arranged, almost to the exact dollar, 3 security audits with amazing results all within budget. 

Results of the three audits. 

• 18 High Severity Findings Fixed. 
• Fuzzing and static analysis tool integration for all three projects. 

Interesting Consideration: 

• To highlight OSTIF’s competitive bidding advantage, we had a security firm provide a quote for one of the projects without any scoping guidance. 
  • The result: A proposal for a security audit that would cost $143,000 USD.
  • After OSTIF scoping and competitive discount, final audit cost was $71,000.