Skip to main content

The Open Source Fortress


Docker image: GHCR

   

Documentation: available

Context

Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub, is an example.

With this in mind, developers are advised to take a defensive posture, namely to uncover as many flaws in their code as possible before releasing it to the public.

The Open Source Fortress

The workshop, named "The Open Source Fortress", provides both theoretical and practical information about detecting vulnerabilities in codebases. It explains how each technique works, what open source tools are available, and then provides real examples.

Important

If you just want to start solving the workshop without further details, visit this wiki page with instructions.

Sand Castle

The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase named Sand Castle. It is written in C and Python.

The included techniques are:

  • Threat modelling;
  • Secret scanning;
  • Dependency scanning;
  • Linting;
  • Code querying;
  • Symbolic execution; and
  • Fuzzing.

Wiki

The wiki includes all the information required to complete the workshop (eventually on your own) and learn more about the provided vulnerable application and analysis infrastructure.

Presentations

Please click the images below to view the most recent presentations used when hosting the content of this repository as a talk or workshop.

As a talk

As a workshop

Repository

The repository hosts all sources related to The Open Source Fortress, starting from presentations used in talks to source code and Docker images. Its structure is as follows:

.
├── sandcastle/ Source code for and Castle
├── tooling/ Docker images for all analysis tooling
├── analysis/ Empty folder that will hold files producedduring the
| analysis
├── docker-compose.yaml Docker intrastructure deploying Sand Castle and the
| required analysis tooling
├── wiki/ Source code of the wiki
├── presentations/ Presentations used when hosting talks and workshops
| related to The Open Source Fortress
├── others/ Miscelleneous files, including the logo and diagrams
├── README.md This page/file
├── CONTRIBUTING.md Guide on how to contribute to improving this workshop
└── LICENSE License file

On-site presentations

The Open Source Fortress was hosted multiple times in public setups as:

  • Talk, in which the concepts presented in the workshop were summarised and demos showcasing the open-source tools were recorded;
  • Workshop, with both theoretical and practical components; and
  • CTF challenge, in which the players were required to patch the vulnerabilities included in Sand Castle.

You can use the resources (e.g., slides and recordings) from each as a supplement to the recommended talks and effectively solving the workshop.

EventShowcase dateShowcase formDurationReferences
Opportunity Open Source Conference, an OSS-focused conferenceAugust 2024Talk40 minutesSlides and talk page
AppSec Village at DEFCON, an appsec conferenceAugust 2024Workshop2.5 hoursSlides and talk page
SCaLE 21x, an open source communityMarch 2024Talk1 hourTalk page and recording
Ubuntu Summit, a community conferenceNovember 2023Workshop1.5 hoursSlides and talk page
DefCamp, a cybersecurity conferenceNovember 2023Talk30 minutesSlides, talk page, and recording
Canonical lightning talkNovember 2023Talk5 minutesSlides
UbuCTF, a CTF organised by the Ubuntu Security TeamNovember 2023CTF challenge2 daysPodcast mention

Contributing

Please check repo's CONTRIBUTING.md for further information on how you can help!

Acknowledgements

Previous works, such as Juice Shop, WebGoat and WrongSecrets, inspired this workshop.

This project's logo was created with Adobe Firefly.import Admonition from '@theme/Admonition'; import Logo from '/img/logo.png'; import Admonition from '@theme/Admonition'; import Logo from '/img/logo.png'; import Admonition from '@theme/Admonition'; import Logo from '/img/logo.png';