Security Audit of RSTUF

X41 performed a source code audit of Repository Service for TUF, a collection of components that simplify the adoption of TUF, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the development team addressed the issues identified.

The source code in scope for this audit was the Git commit 9ec018d of the so-called umbrella repository, which contains the three submodules repository-service-tuf-cli, repository-service-tuf-api, and repository-service-tuf-worker that were also in scope.

Full report of the security audit: https://www.x41-dsec.de/static/reports/X41-OSTIF-RSTUF-Audit-2024-Final-Report-Public.pdf
RSTUF Blogpost: https://repository-service-tuf.readthedocs.io/en/stable/blog/posts/rstuf-security-audit-for-1.0.0.html

Audit Results

No vulnerabilities were discovered during the audit by X41, this was due to the quality of the code, security features such as authorization managed by third parties and the actual signatures being managed by TUF. Nevertheless, 13 issues without direct security impact were identified.

These informational findings are related to outdated components in the development setups such as dependencies and Docker containers. Furthermore, suggestions for hardening measures were identified. These include enabling TLS for communications, network segmentation in the development setup, running processes as less privileged users and setting time limits for celery tasks. Additionally, functional issues were identified and reported.

Overall, the security posture of RSTUF is above average for a project in beta stage.