Why OSTIF?
There’s a lot of misconceptions that cause stagnation when it comes to procuring and participating in security audits. How does one even begin to get an audit, much less fund it? There is too much work involved, and not enough help from the auditors. It’s just a way to dump bugs on overworked maintainers. We could go on.
The feasible answer to the questions and conundrums of open source security audits is OSTIF.
The Open Source Technology Improvement Fund has been connecting open-source projects of all sizes with much needed funding and logistical support since 2016, facilitating over 12,000 hours of preventative high quality security work (security/IT audits/fuzzing work) at no cost to maintainers. And those maintainers who do have a budget, spend less through high quality security audits that help identify and resolve issues in their projects before being exploited. Regardless, financial limitations are not a reason to avoid audits, especially when OSTIF can help you save money and help source funds.
Over the last 2 years, OSTIF has done about $1.5 million in funding per year for security audits, with a little under 20% of that going to overhead. We are able to leverage our experience and processes to receive up to 30% discounts on audit work as compared to other security firms’ proposals. We take our cut out of the savings we provide for you, meaning no hidden costs or additional fees for audits, without sacrificing quality or professional expertise.
These audits place experienced security professionals in a position to thoroughly engage with a project by sourcing teams skilled in the project’s language, function, and security needs to work directly on it. These audit results strive for quantifiable findings as well as quality assurance and recommendations to resolve issues before they can be exploited, while also helping contribute important information for lifecycle planning and succession training for maintainers. From start to finish, the audit process serves to educate maintainers and developers through shared high value feedback and expert security practices.
OSTIF runs audits based on the lessons learned having managed over 75 open source engagements. These engagements benefitted from important maintainer contribution providing the best possible outcomes. We also work with maintainers to find the best methods for communicating, auditing, and reporting that best fits their needs. Timelines are adjustable, and part of the customization that comes in working with OSTIF is the ability of maintainers to set expectations that promote mutual understanding across all invested parties.
In the open source ecosystem, it’s easy to feel like no one wants to help your project’s security. That’s where OSTIF comes in. We have the experience, knowledge, processes, and resources to help projects receive actionable security work that is reproducible and easily incorporated by maintainers. Our processes make the audit as lightweight as possible on maintainers, and create results that are meaningful and salient to your project’s lifecycle. We are entirely open source focused, so we understand the landscape and needs of open source projects. Share yours with us and let’s talk open source!
We’ve answered some FAQs about the audit process in our blog Reasons Why Most Audits Are Still Waiting.