The Open Source Fortress
Context
Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub, is an example.
With this in mind, developers are advised to take a defensive posture, namely to uncover as many flaws in their code as possible before releasing it to the public.
The workshop
The workshop, named The Open Source Fortress, provides both theoretical and practical information about detecting vulnerabilities in codebases. It explains how each technique works, what open source tools are available, and then provides real examples.
The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase named Ubuntu Portrait. It is written in C and Python.
The included techniques are:
- Threat modelling;
- Secret scanning;
- Dependency scanning;
- Linting;
- Code querying;
- Symbolic execution; and
- Fuzzing.
Presentation
Please click the image below to view the most recent presentation used when hosting this workshop.
Showcases
| Event | Showcase date | Showcase form | References |
|---|---|---|---|
| Ubuntu Summit, a community conference | November 2023 | Entire workshop, with both theoretical and practical components | Slides and talk page |
| DefCamp, a cybersecurity conference | November 2023 | Talk summarizing the concepts presented in the workshop and containing demos of the recommended tools | Slides and talk page |
| Canonical lightning talk | November 2023 | 5-minute pitch of the workshop | Slides |
| UbuCTF, a CTF organised by the Ubuntu Security Team | November 2023 | CTF challenge in which the players had to patch the vulnerabilities |
Acknowledgements
Previous works, such as Juice Shop, WebGoat and WrongSecrets, inspired this workshop.
This project's logo was created with Adobe Firefly.