14 DAY TRIAL // A critical security update has been released for the Piwik Web analytics software, after the project paid a security firm to perform a full audit of its code.
In a somewhat rare move for an open source project, the Piwik development team used funds gathered from sponsors to hire security professionals for a code review.
The security consultancy company selected to perform the audit is called SektionEins is based in Cologne, Germany.
The firm specializes in Web application security and employs Stefan Esser, a well known open source security researcher who founded the PHP Security Response Team.
SektionEins' products include the popular Suhosin PHP security system and its services range from security audits to security consulting and training.
"Our security audits include source code reviews, penetration testing and process analysis for all relevant parts of the audited application," the company says.
The Piwik code was reviewed on both the server side and the client side for a wide range of attack vectors including cross site scripting (XSS), SQL/code injection, session manipulation through cross site request forgeries (CRSF), authentication bypass, and low-level attacks on web server modules.
The five-day-long audit resulted in Piwik 1.1, a major update which contains no less than 112 bug fixes and is rated as critical by the project's maintainers.
"Stefan [...] sent us all the details about what could be improved in Piwik regarding security (various recommendations, XSS, etc.). Anthon and Matt from the Piwik team then prepared fixes and improvements," the developers note.
The Piwik team was very impressed with the results and don't regret the choice they made. They recommend that all other open source projects (or closed source ones) perform similar audits.
Piwik 1.1 was released on January 4 and was quickly followed the next day by version 1.1.1 which addressed a few bugs in certain rare PHP configurations.