Skip to main content

The Open Source Fortress

Docker image: GHCR   Documentation: available


Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub, is an example.

With this in mind, developers are advised to take a defensive posture, namely to uncover as many flaws in their code as possible before releasing it to the public.

The workshop

The workshop, named The Open Source Fortress, provides both theoretical and practical information about detecting vulnerabilities in codebases. It explains how each technique works, what open source tools are available, and then provides real examples.

The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase named Ubuntu Portrait. It is written in C and Python.

The included techniques are:

  • Threat modelling;
  • Secret scanning;
  • Dependency scanning;
  • Linting;
  • Code querying;
  • Symbolic execution; and
  • Fuzzing.


Please click the image below to view the most recent presentation used when hosting this workshop.


EventShowcase dateShowcase formReferences
Ubuntu Summit, a community conferenceNovember 2023Entire workshop, with both theoretical and practical componentsSlides and talk page
DefCamp, a cybersecurity conferenceNovember 2023Talk summarizing the concepts presented in the workshop and containing demos of the recommended toolsSlides and talk page
Canonical lightning talkNovember 20235-minute pitch of the workshopSlides
UbuCTF, a CTF organised by the Ubuntu Security TeamNovember 2023CTF challenge in which the players had to patch the vulnerabilities


Previous works, such as Juice Shop, WebGoat and WrongSecrets, inspired this workshop.

This project's logo was created with Adobe Firefly.