The Open Source Fortress
Context
Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub, is an example.
With this in mind, developers are advised to take a defensive posture, namely to uncover as many flaws in their code as possible before releasing it to the public.
The workshop
The workshop, named The Open Source Fortress, provides both theoretical and practical information about detecting vulnerabilities in codebases. It explains how each technique works, what open source tools are available, and then provides real examples. If you plan to do the workshop alone, the first two explanations should be replaced with recommended talks from each Basics section.
The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase named Ubuntu Portrait. It is written in C and Python.
The included techniques are:
- Threat modelling;
- Secret scanning;
- Dependency scanning;
- Linting;
- Code querying;
- Symbolic execution; and
- Fuzzing.
Presentation
Please click the image below to view the most recent presentation used when hosting this workshop.
![](https://raw.githubusercontent.com/iosifache/oss_fortress/main/presentation/ubuntu-summit-23/preview.png)
Showcases
Event | Showcase date | Showcase form | References |
---|---|---|---|
SCaLE 21x, an open source community | March 2024 | 1-hour talk summarizing the concepts presented in the workshop and containing demos of the recommended tools | Talk page |
Ubuntu Summit, a community conference | November 2023 | Entire workshop, with both theoretical and practical components | Slides and talk page |
DefCamp, a cybersecurity conference | November 2023 | 30-minutes talk summarizing the concepts presented in the workshop and containing demos of the recommended tools | Slides and talk page |
Canonical lightning talk | November 2023 | 5-minute pitch of the workshop | Slides |
UbuCTF, a CTF organised by the Ubuntu Security Team | November 2023 | CTF challenge in which the players had to patch the vulnerabilities |
Acknowledgements
Previous works, such as Juice Shop, WebGoat and WrongSecrets, inspired this workshop.
This project's logo was created with Adobe Firefly.