Description
The assignment will focus in auditing an existing open source software, providing a report with finding regarding the security qualities of it.
Students should select a software, select the files/parts of the software to be analyzed and provide an audit report for it. It is important that the project is implemented using a language the students have good knowledge. Then, they should carefully analyze the processes present on that part of the project, under the scope of existing CWEs and the OWASP Top 10 2021. The analysis should include the audit planning, the software design, patterns expressed in the source code, and dynamic analysis with additional tests. If possible, crafted exploits should be developed to demonstrate the vulnerability.
If security issues are found:
- the issue is to be clearly identified;
- Brief description
- Technical description
- Pattern, any input vectors, screenshots
- the CWE should be determined;
- the CVSS calculated;
- test code should be created to demonstrate the vulnerability;
- recommendations should be produced to fix the issue
- if relevant, including the correct source code
A responsible disclosure process should also take place by informing the authors and, if the authors allow it, by creating the CVEs.
Examples of other reports are:
- https://version-2.com/wp-content/uploads/2022/08/Anonymised-Web-Application-Penetration-Testing-Report.pdf
- https://cure53.de/pentest-report_1password-core-2021.pdf
- https://brew.sh/assets/pdf/security_audit_report.pdf
Delivery and Grading
The result should be a report detailing the processes analyzed, any findings, exploits, and the disclosure process.
Delivery should consist of a PDF with the audit report, or a compressed file also including scripts, communications with the authors, and other files to demonstrate vulnerabilities. These files are to be submitted to MS Teams.
The main highlights of the audit process (software, finding, disclosure) should also be presented to colleagues in class.
All materials submitted must be created by the report authors. Using materials from other sources without reference will be considered as plagiarism.