As an open source company we value our strong commitment to transparency and the importance of community. Only transparent and open processes allow customers and users to verify the security of their ownCloud.
A Proven Track Record of Open Source Security
ownCloud has a proven track record of open source security. We, for example, publish detailed security advisories and regularly find security vulnerabilities within widely deployed third-party components.
While nearly all critical issues are discovered internally, we realize that no software can be completely secure and that more eyes can help to make our software even more secure.
Because of this, we’re running a public and transparent bug bounty program, making it possible to reward security researchers that find security issues within ownCloud server. In fact, our bounty program is even featured in a recent Case Study of HackerOne and has been quoted as “the benchmark for a well-executed, successful HackerOne launch.”
Besides relying on internal and external security expertise, we’re also augmenting our security processes using several automated and semi-automated sources. One of them being the Veracode Static Source Code Analyzer. Considering our strong open source history, we are publishing the latest scan result for ownCloud Server today.
What is a Static Source Code Analyzer?
A static source code analyzer takes the source code of a program and tries to find bugs in it. The one from Veracode is focused on finding security vulnerabilities.
It does this by looking at possible known vulnerable functions (so called “sinks”) and compares whether they have been tainted with user controllable input. Consider the following very simple example:
- $var = $_GET[‘id’];
- echo sprintf(“You ordered %s”, $var);
In this case the analyzer would realize that $var is reading the value from $_GET[‘id’] which is user-controlled input and then would print the data directly to the user. Leading to a typical Cross-Site Scripting vulnerability (CWE-79).
Side remark: ownCloud uses a strict Content-Security-Policy to mitigate Cross-Site Scripting vulnerabilities. So if you’re using ownCloud as well as a modern browser you’re likely protected against any potential XSS vulnerability.
While static source code analyzers do not provide 100% security, we consider them a good addition to our other existing security processes. Only with the combined help of automated tools and strong internal and external security knowledge can a secure solution can be guaranteed.