Netgate, the dedicated hardware partner of FreeBSD-based open source firewall pfSense, recently enlisted respected technology organization InfoSec Global to perform a code review of their widely deployed security solution.
“An independent code review is one of the most fundamental and significant steps that occurs during the software development process. In 2016, Netgate engaged with Infosec Global, an independent, third-party firm with over 150 years of collective experience in the security and IT industry, to conduct a top to bottom, post-commit audit of pfSense software version 2.3.2.”
“For this project, Netgate provided Infosec Global with the Netgate XG-2758 1U Security Gateway Appliance with pfSense software version 2.3.2 installed with a default production configuration and the source code included the commercial features which are not included in the community edition as the target for this engagement. The software provided for the purpose of this audit is only available pre-installed on pfSense security appliances from Netgate.”
“This project was managed by Technical Director Ahmed Techini and Security Engineers Paul Lam and Daniele Bastianello. ISG employed both automated and manual code review approaches to conduct the source code review, as outlined in the final report. All evaluation activities were conducted in the ISG Globus Cyber Assurance facility based in Ottawa between early September to mid-October 2016 with an addendum based on previously-mitigated items issued in December 2016.”
“The overall opinion of the engagement team is that the Netgate XG-2758-1U pfSense security appliance is a well designed, robust and secure security appliance with a large community behind it making this product an easy choice to recommend for businesses of any size.”
“Infosec Global scores threats on a bottom-up percentage scale, with 0% being a perfect score and 100% being most critical. As indicated in the audit report, pfSense 2.3.2 scored an outstanding 1%, which included concerns that were mitigated during the audit process with the release of pfSense software version 2.3.2_p1, or that were raised but do not apply to the firmware reviewed.” – via InfoSec Global
Along with a growing number of security engineers who implement the pfSense/Netgate tandem as an enterprise firewall, the positive results of the code review by InfoSec Global lends further credibility to it’s readiness as a viable community vetted open source solution for deployment in high risk production environments.