The Open Source Fortress
Multiple posts on social media contributed to the creation of The Open Source Fortress, a workshop that explains what open source tools are available for discovering vulnerabilities in codebases and how to use them.
The workshop employs a customised, purposely insecure Python and C codebase to demonstrate the use of different techniques and tools:
- Threat modelling with OWASP Threat Dragon;
- Secret scanning with Gitleaks;
- Dependency scanning with Google Open Source Security Team's OSV-Scanner;
- Linting with Bandit and flawfinder;
- Code querying with Semgrep;
- Fuzzing with AFL++; and
- Symbolic execution with KLEE.
Sounds appealing? You can begin by reading more about the workshop on its home page, then complete the tasks, making sure to verify the accompanying checklist or cheatsheet with vulnerability detection commands.
What if the workshop misses covering an excellent tool you're using to uncover flaws in your codebase? Both the workshop and the goat-like application are open sourced on GitHub. You can spend a few seconds opening an issue with the details of this tool, or a dozen minutes writing a guide for it. The makers of that tool will be pleased to learn that you took the time to publicise their work!
Furthermore, the community became aware of this work because of two conferences.
Ubuntu Summit, held this year in Latvia's capital, provided an ideal setting for the workshop's debut: a group of open source, Linux, and Ubuntu enthusiasts learned about the information included in the workshop and worked on the proposed tasks.
The other conference was Bucharest's DefCamp, where I gave a 30-minute talk about vulnerability detection concepts and received feedback. The potential of DefCamp to bring together the Romanian community in the same location, in addition to the participants from other countries, was the icing on the cake. It was fantastic to talk with old friends, folks I had only communicated with online, and interesting people I met at this year's conference.