Pentest / Source Code Review

[moloch--]

Get someone other than myself and Ronan to review the code.

[rkervella]

Example considerations (non exhaustive list):

• Attacker has access to the source (once we open source the project)
• Multiplayer: unauthorized access to a sliver server
• Unauthorized access to running agents (i.e: ability to spoof the server / send commands to running slivers)
• RCE via logged in operator (might be worth to check for escape shell issues in the generate and msf commands)
• ...

[moloch--]

We may want to document specific security objectives. As you stated, to me there is a clear security boundary between the operator and server, an operator should not inherently be able to run commands or code on the server. I also added an "audit log" to the server for a white team to review, which records all of the (remote) operator's commands that relies on this boundary.

[rkervella]

Totally agree with this. Also, I don't know the status for other projects, but I think putting detailed GitHub issues with the security label could be enough for the reporting part.

[Eriner]

I'd be happy to help in this effort, but I'll need to tackle some other PRs to familiarize myself with the codebase. If I don't circle back to this in a couple of weeks, ping me.

[moloch--]

@altf4 - If R&D wants to chip in :)

[h4ng3r-BF]

Coverity offers free scan for OSS projects, maybe we should try.

[rkervella]

From their main page:

Find and fix defects in your Java, C/C++, C#, JavaScript, Ruby, or Python open source project for free

[h4ng3r-BF]

Sorry golang is aviable in 2019.06 but the scan is still in the 2019.03, maybe in a few months they will upgrade to 2019.06.