News

ownCloud Releases Static Security Scan Results

As an open source company we value our strong commitment to transparency and the importance of community. Only transparent and open processes allow customers and users to verify the security of their ownCloud. A Proven Track Record of Open Source Security ownCloud has a proven track record of open source security. We, for example, publish detailed […]

By ownCloud

ownCloud secure cloud solution for filesharing

As an open source company we value our strong commitment to transparency and the importance of community. Only transparent and open processes allow customers and users to verify the security of their ownCloud.

A Proven Track Record of Open Source Security

ownCloud has a proven track record of open source security. We, for example, publish detailed security advisories and regularly find security vulnerabilities within widely deployed third-party components.

While nearly all critical issues are discovered internally, we realize that no software can be completely secure and that more eyes can help to make our software even more secure.

Because of this, we’re running a public and transparent bug bounty program, making it possible to reward security researchers that find security issues within ownCloud server. In fact, our bounty program is even featured in a recent Case Study of HackerOne and has been quoted as “the benchmark for a well-executed, successful HackerOne launch.”

Besides relying on internal and external security expertise, we’re also augmenting our security processes using several automated and semi-automated sources. One of them being the Veracode Static Source Code Analyzer. Considering our strong open source history, we are publishing the latest scan result for ownCloud Server today.

What is a Static Source Code Analyzer?

A static source code analyzer takes the source code of a program and tries to find bugs in it. The one from Veracode is focused on finding security vulnerabilities.

It does this by looking at possible known vulnerable functions (so called “sinks”) and compares whether they have been tainted with user controllable input. Consider the following very simple example:

  1. <?php
  2. $var = $_GET[‘id’];
  3. echo sprintf(“You ordered %s”, $var);

In this case the analyzer would realize that $var is reading the value from $_GET[‘id’] which is user-controlled input and then would print the data directly to the user. Leading to a typical Cross-Site Scripting vulnerability (CWE-79).

Side remark: ownCloud uses a strict Content-Security-Policy to mitigate Cross-Site Scripting vulnerabilities. So if you’re using ownCloud as well as a modern browser you’re likely protected against any potential XSS vulnerability.

While static source code analyzers do not provide 100% security, we consider them a good addition to our other existing security processes. Only with the combined help of automated tools and strong internal and external security knowledge can a secure solution can be guaranteed.

Please visit our dedicated Security page to download the scan results and gain greater detail about ownCloud’s commitment to security.

ownCloud

April 6, 2016

Ready to see what’s next?

Having trouble viewing or submitting this form?

Contact Us

We care about protecting your data. Here’s our Privacy Policy.

Read now:

The interconnectedness of all things

The interconnectedness of all things

In the November issue of ownCloud monthly, we talk about remote education, swapping email attachments with secure file links automatically, modular auth with OpenID Connect, Vue.js, deepened partnerships and the path to digital sovereignty.

read more
Ok, Go: New language, new partners

Ok, Go: New language, new partners

In September, we presented cool new partnerships that will make our upcoming ownCloud Infinite Scale work nicely with key open-source productivity suites. We explained our reasoning in switching to Go and how to get started with ownCloud using a virtual machine appliance.

read more