Security Audit of RSTUF

X41 performed a source code audit of Repository Service for TUF, a collection of components that simplify the adoption of TUF, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the development team addressed the issues identified.

Full report of the security audit: https://www.x41-dsec.de/static/reports/X41-OSTIF-RSTUF-Audit-2024-Final-Report-Public.pdf
RSTUF Blogpost: https://repository-service-tuf.readthedocs.io/en/stable/blog/posts/rstuf-security-audit-for-1.0.0.html

Audit Results

No vulnerabilities were discovered during the audit by X41, this was due to the quality of the code, security features such as authorization managed by third parties and the actual signatures being managed by TUF. Nevertheless, 13 issues without direct security impact were identified.

These informational findings are related to outdated components in the development setups such as dependencies and Docker containers. Furthermore, suggestions for hardening measures were identified. These include enabling TLS for communications, network segmentation in the development setup, running processes as less privileged users and setting time limits for celery tasks. Additionally, functional issues were identified and reported.

Overall, the security posture of RSTUF is above average for a project in beta stage.