Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub, is an example.
With this in mind, developers are advised to take a defensive posture, namely to uncover as many flaws in their code as possible before releasing it to the public.
The workshop, named "The Open Source Fortress", provides both theoretical and practical information about detecting vulnerabilities in codebases. It explains how each technique works, what open source tools are available, and then provides real examples.
Caution
If you just want to start solving the workshop without further details, visit this wiki page with instructions.
The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase named Sand Castle. It is written in C and Python.
The included techniques are:
- Threat modelling;
- Secret scanning;
- Dependency scanning;
- Linting;
- Code querying;
- Symbolic execution; and
- Fuzzing.
The wiki includes all the information required to complete the workshop (eventually on your own) and learn more about the provided vulnerable application and analysis infrastructure.
The repository hosts all sources related to The Open Source Fortress, starting from presentations used in talks to source code and Docker images. Its structure is as follows:
.
├── sandcastle/ Source code for and Castle
├── tooling/ Docker images for all analysis tooling
├── analysis/ Empty folder that will hold files producedduring the
| analysis
├── docker-compose.yaml Docker intrastructure deploying Sand Castle and the
| required analysis tooling
├── wiki/ Source code of the wiki
├── presentations/ Presentations used when hosting talks and workshops
| related to The Open Source Fortress
├── others/ Miscelleneous files, including the logo and diagrams
├── README.md This page/file
├── CONTRIBUTING.md Guide on how to contribute to improving this workshop
└── LICENSE License file
The Open Source Fortress was hosted multiple times in public setups as:
- Talk, in which the concepts presented in the workshop were summarised and demos showcasing the open-source tools were recorded;
- Workshop, with both theoretical and practical components; and
- CTF challenge, in which the players were required to patch the vulnerabilities included in Sand Castle.
You can use the resources (e.g., slides and recordings) from each as a supplement to the recommended talks and effectively solving the workshop.
| Event | Showcase date | Showcase form | Duration | References |
|---|---|---|---|---|
| AppSec Village at DEFCON, an appsec conference | August 2024 | Workshop | 2.5 hours | Talk page |
| SCaLE 21x, an open source community | March 2024 | Talk | 1 hour | Talk page and recording |
| Ubuntu Summit, a community conference | November 2023 | Workshop | 1.5 hours | Slides and talk page |
| DefCamp, a cybersecurity conference | November 2023 | Talk | 30 minutes | Slides, talk page, and recording |
| Canonical lightning talk | November 2023 | Talk | 5 minutes | Slides |
| UbuCTF, a CTF organised by the Ubuntu Security Team | November 2023 | CTF challenge | 2 days | Podcast mention |
Please check repo's CONTRIBUTING.md for further information on how you can help!
Previous works, such as Juice Shop, WebGoat and WrongSecrets, inspired this workshop.
This project's logo was created with Adobe Firefly.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent