iosifache / oss_fortress

Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub, is an example.

With this in mind, developers are advised to take a defensive posture, namely to uncover as many flaws in their code as possible before releasing it to the public.

The workshop, named The Open Source Fortress, provides both theoretical and practical information about detecting vulnerabilities in codebases. It explains how each technique works, what open source tools are available, and then provides real examples.

The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase named Ubuntu Portrait. It is written in C and Python.

The included techniques are:

• Threat modelling;
• Secret scanning;
• Dependency scanning;
• Linting;
• Code querying;
• Symbolic execution; and
• Fuzzing.

Please click the image below to view the most recent presentation used when hosting this workshop.

Please visit the wiki if you want to complete the workshop on your own and learn more about the provided vulnerable application.

Please check CONTRIBUTING.md for further information on how you can help!

Previous works, such as Juice Shop, WebGoat and WrongSecrets, inspired this workshop.

This project's logo was created with Adobe Firefly.