We are a security company. Our goal is to help our community members secure their assets. But one of our core values is to drink our own champagne and walk the talk. So, a few months ago, we asked Synacktiv to perform a code review on the CrowdSec agent.
The tests were performed using a white-box approach and the source code of CrowdSec was fetched from our official GitHub repository. The objectives of these tests were to identify vulnerabilities and associated risks, exploit them and list remediations that will improve the security level of the application.
We are happy to share that the conducted assessment revealed an excellent security level. In a nutshell:
- No compromise scenarios have been identified
- The attack surface of the component is well controlled and offers extremely limited possibilities to attackers
- The overall code quality is high and technologies used, combined with a fine software architecture, offer a great general security level.
Some issues were spotted but none of them were considered having a high overall severity and were fixed throughout the assessment.
The full report can be downloaded here.
“Synacktiv appreciated the great reactivity and availability of the CrowdSec team all along the audit performed on its agent. Linked to the absence of critical findings, it demonstrates CrowdSec engagement in securing source code deployed to its users infrastructure.”
Renaud Dubourguais, COO and head of the pentest team @ Synacktiv
This assessment is only one of the steps of the security review campaign that we have launched since day 1 in order to keep improving the security of our solution and ensure maximum safety to our community. Stay tuned for more news on the matter.
About Synacktiv
Synacktiv is a French company, founded in 2012 by 2 cyber security experts and specialized in offensive security. They help companies assess and strengthen the security of their systems and assets and ambition to become the French reference in their field. Their team is fully composed of digital ninjas.