The 2024 Backstage Security Audit
TL;DR Backstage’s security posture remains strong! Today, we’re releasing the report from the second independent security audit of the Backstage project.
As an Incubating project within the Cloud Native Computing Foundation (CNCF), Backstage is fortunate enough to take advantage of sponsored continuous security audits. The Open Source Technology Improvement Fund (OSTIF) sponsors the audits as part of its ongoing efforts to secure the open source software ecosystem, and the audit itself was performed by X41 D-Sec, who also performed the first audit. Our goal with the audit was to re-evaluate and further improve Backstage’s security posture, focusing on the core Backstage framework and plugins.
Report Findings and Fixes
The security audit and improvements concluded on October 16. The audit findings totalled three high and one medium severity vulnerability, alongside seven side findings with no direct security impact. All main findings were remedied in the Backstage 1.31 release, while the majority of the side findings were addressed by the 1.32 release. For details on all findings, see the full audit report.
We are happy to see that there are no repeated vulnerabilities, perhaps in part due to our new secure coding practices following the previous audit, as well as the introduction of the Backstage Threat Model. While there was a path traversal vulnerability that was discovered in the TechDocs backend, this was more specific and related to remote paths, rather than the local filesystem. We chose to handle this as an isolated fix as there are no other occurrences of this pattern that we are aware of.
The previous security audit highlighted the need for Backstage to have its own built-in protection, to be secure by default. This, as well as the need for more robust service-to-service auth, was addressed earlier this year through the new auth system, in 1.24 and following releases. The new auth system was in scope for this new security audit, and no findings were made in that area.
One area with findings in both audits is the way that the auth plugin backend handles sign-in of users. This is a complex area that can often be a source of friction for the adoption experience of Backstage. As part of this audit we have made several updates especially to the documentation for sign-in resolvers, but this remains an area where it is hard to find a solution that is both simple and secure. Of course we err on the side of caution and have updated our documentation to be more strict. We will continue to explore options for improvements to the sign-in system to keep it both simple and secure out of the box, but in the meantime be sure to read the documentation section sign-in identity and resolver as you are setting up Backstage.
We are happy with the results of this security audit, it is yet another way in which we see the continuing maturity of the Backstage projects. On behalf of the Backstage maintainers and community: thanks to the CNCF, OSTIF, and X41 D-Sec for the opportunity to improve the project.