Cross-posted from the OSTIF blog
OSTIF is proud to share the results of our security audit of LitmusChaos. LitmusChaos is an open source chaos engineering platform for a multitude of cloud platforms. With the help of 7ASecurity and the Cloud Native Computing Foundation, this project can continue to provide secure chaos testing environments for developers.
Audit Process:
This engagement was a whitebox security review paired with pentesting performed by the team at 7ASecurity. The scope of the audit was the source code of the project, which was targeted by testing to determine the best future security efforts as well as identify any vulnerabilities or hardening recommendations. Due to the function of LitmusChaos as a testing ground for software development lifecycles (specifically chaos engineering), it is important that the project is consistently being reviewed and tested for potential security threats. The project’s function creates a large attack surface, which makes it difficult to defend. Focus for the threat model was on general system flow, supply chain attacks, and deployment environments to determine the security of LitmusChaos function across multiple cloud platforms.
Audit Results:
- 16 Findings with a Security Impact
- 6 Vulnerabilities- 1 Critical, 3 High, 2 Medium
- 10 Hardening Recommendations- 2 Medium, 5 Low, 3 Informational
- Custom Threat Model of the data flow in LitmusChaos
- 8 Threats to the project defined, with detailed attack scenarios and fix recommendations
- Recommendations for future security hardening in LitmusChaos
The audit report emphasizes that despite the number and severity of the findings of this audit, LitmusChaos has well-implemented security efforts that reflect well on the function, build, and maintenance of the project. LitmusChaos’s maintainers have provided proof of fixes for all issues related to this audit, which have been verified by 7ASecurity and are available in the audit report.
Third-party security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. OSTIF wishes LitmusChaos the best on its path towards Graduation through the CNCF Incubating Projects Program.
Thank you to the individuals and groups that made this engagement possible:
- LitmusChaos maintainers and community- specifically Umasankar Mukkara, Amit Das, Karthik Satchitanand, Prithvi Raj, Saranya Jena, Sarthak Jain, Shovan Maity, Vedant Shrotria, Namkyu Park, Sayan Mondal, Hrishav Kumar, Sahil Kumar, and Udit Gaurav
- 7ASecurity-Abraham Aranguren, Daniel Ortiz, Dariusz Jastrzębski, Miroslav Štampar, and Szymon Grzybowski
- The Cloud Native Computing Foundation
You can read the Audit Report HERE
You can read 7ASecurity’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact amir@ostif.org.