7ASecurity is proud to share the results of our security audit of LitmusChaos. LitmusChaos is an open source chaos engineering platform for a multitude of cloud platforms. With the help of the Open Source Technology Improvement Fund (OSTIF) and the Cloud Native Computing Foundation, this project can continue to provide secure chaos testing environments for developers.
Audit Process:
This engagement was a whitebox security review paired with pentesting, performed by the team at 7ASecurity. The scope of the audit was the source code of the project, which was targeted by testing to determine the best future security efforts as well as identify any vulnerabilities or hardening recommendations. Due to the function of LitmusChaos as a testing grounds for the software development lifecycle, especially for chaos engineering, it is important that the project is consistently being reviewed and tested for potential security threats. The project’s function creates a large attack surface, which makes it difficult to defend. Focus for the threat model was on general system flow, supply chain attacks, and deployment environments to determine the security of LitmusChaos function across multiple cloud platforms.
Please note all identified issues were resolved by the LitmusChaos team and the fixes were verified by 7ASecurity.
Audit Results:
- 16 Findings with a Security Impact
- 6 Vulnerabilities- 1 Critical, 3 High, 1 Medium
- 10 Hardening Recommendations- 2 Medium, 5 Low, 3 Informational
- Custom Threat Model of the data flow in LitmusChaos
- 8 Threats to the project defined, with detailed attack scenarios and fix recommendations
- Recommendations for future security hardening in LitmusChaos
The report for LitmusChaos emphasizes that despite the number and severity of the findings of this audit, the project has well-implemented, positive security measures and efforts that reflect well on the function, build, and maintenance of the project.Third-party security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. OSTIF wishes LitmusChaos the best on its path towards Graduation through the CNCF Incubating Projects Program.
Thank you to the individuals and groups that made this engagement possible:
- LitmusChaos maintainers and community- specifically Amit Das, Karthik S, Prithvi Raj, Saranya Jena, Sarthak Jain,and Udit Gaurav
- The Cloud Native Computing Foundation
- The Open Source Technology Improvement Fund
You can read the Audit Report HERE
You can read the OSTIF Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, please contact amir@ostif.org.
