Skip to content

Workshop for finding software vulnerabilities using open source tools, which includes a Goat-like Python and C application

License

Notifications You must be signed in to change notification settings

iosifache/ossfortress

Repository files navigation

The Open Source Fortress logo

The Open Source Fortress

Docker image: GHCR     Documentation: available

Context

Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub, is an example.

With this in mind, developers are advised to take a defensive posture, namely to uncover as many flaws in their code as possible before releasing it to the public.

The Open Source Fortress

The workshop, named "The Open Source Fortress", provides both theoretical and practical information about detecting vulnerabilities in codebases. It explains how each technique works, what open source tools are available, and then provides real examples.

Caution

If you just want to start solving the workshop without further details, visit this wiki page with instructions.

Sand Castle

The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase named Sand Castle. It is written in C and Python.

The included techniques are:

  • Threat modelling;
  • Secret scanning;
  • Dependency scanning;
  • Linting;
  • Code querying;
  • Symbolic execution; and
  • Fuzzing.

Wiki

The wiki includes all the information required to complete the workshop (eventually on your own) and learn more about the provided vulnerable application and analysis infrastructure.

Presentations

Please click the images below to view the most recent presentations used when hosting the content of this repository as a talk or workshop.

As a talk

As a workshop

Repository

The repository hosts all sources related to The Open Source Fortress, starting from presentations used in talks to source code and Docker images. Its structure is as follows:

.
├── sandcastle/            Source code for and Castle
├── tooling/               Docker images for all analysis tooling
├── analysis/              Empty folder that will hold files producedduring the
|                          analysis
├── docker-compose.yaml    Docker intrastructure deploying Sand Castle and the
|                          required analysis tooling
├── wiki/                  Source code of the wiki
├── presentations/         Presentations used when hosting talks and workshops
|                          related to The Open Source Fortress
├── others/                Miscelleneous files, including the logo and diagrams
├── README.md              This page/file
├── CONTRIBUTING.md        Guide on how to contribute to improving this workshop
└── LICENSE                License file

On-site presentations

The Open Source Fortress was hosted multiple times in public setups as:

  • Talk, in which the concepts presented in the workshop were summarised and demos showcasing the open-source tools were recorded;
  • Workshop, with both theoretical and practical components; and
  • CTF challenge, in which the players were required to patch the vulnerabilities included in Sand Castle.

You can use the resources (e.g., slides and recordings) from each as a supplement to the recommended talks and effectively solving the workshop.

Event Showcase date Showcase form Duration References
Opportunity Open Source Conference, an OSS-focused conference August 2024 Talk 40 minutes Slides and talk page
AppSec Village at DEFCON, an appsec conference August 2024 Workshop 2.5 hours Slides and talk page
SCaLE 21x, an open source community March 2024 Talk 1 hour Talk page and recording
Ubuntu Summit, a community conference November 2023 Workshop 1.5 hours Slides and talk page
DefCamp, a cybersecurity conference November 2023 Talk 30 minutes Slides, talk page, and recording
Canonical lightning talk November 2023 Talk 5 minutes Slides
UbuCTF, a CTF organised by the Ubuntu Security Team November 2023 CTF challenge 2 days Podcast mention

Contributing

Please check repo's CONTRIBUTING.md for further information on how you can help!

Acknowledgements

Previous works, such as Juice Shop, WebGoat and WrongSecrets, inspired this workshop.

This project's logo was created with Adobe Firefly.