Can someone with security industry knowledge comment on how much weight we should give this? Are these sorts of things something you can just buy and they'll go out of their way to give you a favourable report because you're the client? Is Insight Risk Consulting known and credible?
This was an external infrastructure test which carries no real weight for the app itself. It just makes sure that stupid stuff like ssh open to the internet, no public CMS available etc. Hasn't happened. That being said bitwarden do do more in depth security audits but this particular audit doesn't really mean too much.
The report itself was automatically generated by one of the popular scanning tools. It's 1 hour to run the automated scan and 1 day to format the PDF nicely for the customer.
The thing is half worthless, verifying that the CDN has TLS and raising warnings about obscure HTTP/CORS headers.
But occasionally it can find some really bad misconfiguration or library with a critical vulnerability in dire need of an upgrade. (Of course they would never publish a report finding issues like that).
I recognise Insight (going by the name & logo) as one that is on at least one of our larger clients' (we work on systems to manage regulatory compliance, primarily with investment banks) PSLs for application penetration testing. Assuming this is the same company and not some small-fry crook who is trying to steal their thunder (I've not looked in any depth beyond "I know that logo"), that would suggest that the report is not of the "pay to pass" variety. There would be some noise if a company on the banks' security provider PSLs were found to be offering pay-to-pass security audits.
Such companies sometimes offer a range of penetration testing options from relatively superficial to aggressive, in-depth, and detailed, so you'd need to read the report (I will when I have more time as we are considering Bitwarden for our credential management) to see if what it is saying is sufficiently reassuring.
> Are these sorts of things something you can just buy and they'll go out of their way to give you a favourable report because you're the client?
That happens.
I can't comment on Insight Risk Consulting, as I don't know that company. They write they had a previous audit from Cure53. That's a well known and very skilled security company and I would expect that you can't buy an "please ignore as many vulns as possible" report from them.
That has nothing to do with it being open source. In close-source systems I've seen penetration testers find security issues that have been present for years despite annual audits during that time. This is one of the reasons why our services get at least annual penetration testing, even the legacy ones that won't have changed since the last test. It is not a bad idea to cycle through providers too, on the off chance that some may use different tooling that exposes certain flaws more readily than the techniques used by others.
Being open source just increases the chance of a problem being spotted if there are sufficiently clue-up people looking. Being open does not at all guarantee that any given problem will be spotted during the normal course of work. Security issues can be dues to combinations of flaws in widely spaced code so even if working directly on one part you might not realise there is an issue in conjunction with another part. That is why it is necessary to have tests/audits like this, for oth open and closed source systems, where someone is task specifically to look for security problems.
It isn't right to criticise Bitwarden for being tested and issues being found (unless those issues are systemic and/or just plain stupid, or you believe the project's response to resolve them is too slow or incomplete). Instead concern should be aimed at security related products that are not regularly subject to external audit at all. Not having any issues because you have not checked for them is a much greater worry!
I think that was the point of the previous comment.
That, despite the software being open-source and therefore more likely to have bugs spotted, and despite having a bug bounty program, the auditing company found a moderate, therefore they must be thorough.
I wonder if that's the case here. I don't work in that space but the issues they found seem like they might be low hanging fruit. I've pasted them below for anyone that's curious.
> The Cross Origin Resource Sharing (CORS) configuration on Bitwarden server APIs allows for any clientorigin to access its endpoints.
> The Content Security Policy (CSP) configuration on the Bitwarden web vault application allows for'unsafe-inline' CSS styles to execute.
That is why it is important the reports from security audits include what was looked for and at least a little detail about how.
If they were appropriately thorough and all they found were low-hanging fruit, then that is a good thing.
Of course a detailed report is no absolute guarantee: we once had a test done that I think was more than shoddy: there was not nearly enough activity on the web server over the testing period for the amount of automated work they claimed to have done, and I spotted an issue a couple of weeks later that at least one of their documented processes really should have picked up on. That company is no longer in business thankfully.
If you were selling bogus report results for clients you'd still include a non-major thing or two. Gives a better impression of legitimacy than full marks across the board.
