Skip to main content

The Open Source Fortress

Docker image: GHCR


Documentation: available


Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub, is an example.

With this in mind, developers are advised to take a defensive posture, namely to uncover as many flaws in their code as possible before releasing it to the public.

The workshop

The workshop, named The Open Source Fortress, provides both theoretical and practical information about detecting vulnerabilities in codebases. It explains how each technique works, what open source tools are available, and then provides real examples. If you plan to do the workshop alone, the first two explanations should be replaced with recommended talks from each Basics section.

The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase named Ubuntu Portrait. It is written in C and Python.

The included techniques are:

  • Threat modelling;
  • Secret scanning;
  • Dependency scanning;
  • Linting;
  • Code querying;
  • Symbolic execution; and
  • Fuzzing.


Please click the image below to view the most recent presentation used when hosting this workshop.


EventShowcase dateShowcase formReferences
SCaLE 21x, an open source communityMarch 20241-hour talk summarizing the concepts presented in the workshop and containing demos of the recommended toolsTalk page
Ubuntu Summit, a community conferenceNovember 2023Entire workshop, with both theoretical and practical componentsSlides and talk page
DefCamp, a cybersecurity conferenceNovember 202330-minutes talk summarizing the concepts presented in the workshop and containing demos of the recommended toolsSlides and talk page
Canonical lightning talkNovember 20235-minute pitch of the workshopSlides
UbuCTF, a CTF organised by the Ubuntu Security TeamNovember 2023CTF challenge in which the players had to patch the vulnerabilities


Previous works, such as Juice Shop, WebGoat and WrongSecrets, inspired this workshop.

This project's logo was created with Adobe Firefly.