FileSender software is entrusted with user’s files and hence needs to be secure. To ensure an adequate level of security is achieved each major release of FileSender is subject to at least one code security audit. While we don’t expect FileSender to hold out against a determined state-funded attacker we do expect the software to follow all publicly known security best current practices and have no “oops” security holes.
Using funding provided by HEAnet the FileSender project hired Pine Digital Security to execute a code security audit of the FileSender 2.0 development code. The audit was executed on revision 3390 of the SVN branche branches/filesender-2.0 and done in the timeframe 12 January 2015 – 3 February 2015. Pine sent the report with its findings on 3 February 2015. The report was discussed on 4 February in a meeting between Jan Meijer (FileSender project lead), Etienne Meleard (FileSender development lead) and in a conference call between the two aforementioned and Daan Keuper from Pine Digital Security.
Based on these discussions an assessment was made of each of the identified issues and the appropriate response from the project decided. The general impression was that the code improved significantly compared with version 1.6. No structural security issues were found.
A total of 10 issues were identified. Two of these were of type “oops” and were fixed without discussion. Five were of type “defence in depth” and have been addressed. Two items identified as a vulnerability are considered by the project as a feature. The last item considers insufficiently secure random number generation which is an issue for download URL protection. This has been addressed.
We’ve documented the issues found, our assessment and response as well as our follow-up including ticket numbers. You find all details in this document:
As I write this, a second and more extensive security audit funded by RENATER and executed by French security firm Amossys. This audit is expected to report at the end of March. As part of the contract, any significant findings would be reported promptly. After 2 weeks of audit no significant findings have been reported.
Are you curious to see what’s in version 2.0? Interested in trying it out?
- Install it from SVN using our 2.0-alpha installation recipe
- Try using it on my test server
- Check the available documentation for 2.0-alpha
Do you want the 2.0 release to progress faster? Help out with documenting! Send me an email on jan dot meijer at uninett dot no.