By Amir Montazery, Open Source Technology Improvement Fund
Security audits are an extremely effective tool for improving the security of critical projects. In 2022, OpenSSF and Google sponsored a number of security audits and associated work via strategic partner Open Source Technology Improvement Fund (OSTIF).
OSTIF is a non-profit that specializes in working directly with open source projects and helping them improve security posture holistically. The process focuses on code review, the finding and fixing of critical vulnerabilities and classes of bugs, and improving the tools used to keep projects secure.
Today OSTIF released its Independent Security Audit Impact Report.
The funding of this work aligns with OpenSSF’s mission to advance open source security for all, especially within the lens of securing critical projects. Given that an overwhelming majority of projects have never been reviewed from a security perspective by an independent expert, security audits are a crucial way to improve security. Furthermore, this work serves as evidence of effectiveness of the code audits investment stream as outlined in the OpenSSF’s Software Security Mobilization Plan.
OSTIF is responsible for coordinating over 20,000 hours of security audits that led to over 30 critical vulnerability patches and 160 security issue fixes in 2022 alone. A majority of focus in this iteration was on projects identified as critical by the Harvard Census II Report. Git, curl, jackson-core and jackson-databind, and slf4J are widely adopted projects and used extensively around the world. The high level results can be seen below.
The Full Report
OSTIF publishes all audit reports to the public for free. All reports can be found in the reference section of the report.
Looking ahead to 2023, we can use more help. OSTIF’s work is being recognized and supported by top thought leaders in the open source community. We are auditing more projects than ever before and honored to help critical projects improve their security.
OSTIF recommends all organizations who wish to make an impactful difference in improving security in open source to continue funding security work. We hope that the results outlined by this report and OSTIF’s long track record of successful engagements serve as evidence of our ability to be an effective partner for improving security posture of open source projects.
Sincere thanks to Google and OpenSSF for funding this work. More support and funding will result in more engagements and security improvements.