TL;DR
Collabora Productivity employs a multi-layered security onion strategy that covers many areas. In Part 1, we explain how our security is built on rigorous organisational compliance, including ISO 9001 and ISO 27001 certifications. This framework is bolstered by continuous automated testing, such as large-scale continuous fuzzing campaign and regular static code analysis, that proactively identifies and fixes vulnerabilities before software is release.
Certified, Active Security
The security considerations for document handling encompass a huge number of areas. It brings to mind the famous Douglas Adam’s “Big, really big” quote, as security is fundamental to how we build and operate as a company. Security is core to our internal processes; and goes on to inform our software design and technical architecture through to our software development processes, implementation, continuous testing, security reporting and support.
We have another blog that covers ‘softer’ security measures found inside the Collabora Online (COOL) UI that provide advisory restrictions, such as cell protection, section editing and read-only locks. These are soft or advisory policies embedded into the document file itself. In this blog however, we are focusing on our approach to hard security, and the use of engineering controls building hard policy directly into the software which ensure your documents are safe when edited in COOL. This is built around a multi-layered security onion approach which also includes server-side document isolation, request signing, our constant automated testing, security maintenance and much more.
Certified and Audited Security: ISO Standards
At the core of Collabora Online (COOL) is over eight million lines of code. The codebase we re-use from Collabora Office is mature and proven technology over many years. So how do we avoid introducing mistakes as we continue to rapidly improve the product?
Any effective approach to security needs to start with the way a company operates and how it complies with recognised standards and legislation. Achieving ISO 9001:2015 certification and developing a Business Management System (BMS) combined with a Quality Management System (QMS) means that Collabora Productivity customers can trust that we have a consistent framework in place for continuously improving our processes, managing risks and improving efficiency.
A BMS is also particularly effective when integrated with dedicated security standards, which is why the company is also certified to ISO 27001:2022 and has an Information Security Management System (ISMS) in place.
An ISMS framework encompasses people, processes, and technologies that manages the overall security of Collabora Productivity’s systems and data. ISMS follows a risk-based approach, focusing on identifying and prioritising risks, implementing appropriate controls to mitigate them. As well as helping demonstrate compliance with regulatory requirements, ISMS indicates a continuous approach to improving security that addresses emerging threats.
Staff and Engineering Training
All staff at Collabora Productivity must complete compulsory training on the company’s BMS as well as general security awareness. The training covers security policies we have in place, preventative measures for security breaches and potential methods and strategies that attackers use to gain infrastructure access.
In addition, all Collabora engineers complete training that provides comprehensive instruction on the security implications of modern code development and deployment practices. Engineers gain an understanding of the tools for managing risk in the development process, such as version control, peer review and automated testing.
Collabora Productivity has a comprehensive security report handling and response process and fosters a culture which values and rewards the detection and mitigation of security vulnerabilities.
Annually, the company undergoes a thorough independent audit to confirm ongoing compliance to its ISO certifications. Internally, company leaderships reviews progress and assist in the improvement of processes and procedures. Our certification documentation is available on request and provides our partners and customers with confidence that the company is pursuing excellence with it’s company and security framework and approach.
Automated Testing
Part of the company’s continuous approach to security involves the use of automated software, which incorporates:
- Coverity Scan Static Analysis
- Crash Testing
- Fuzzing (OSS-Fuzz)
Coverity Scan Static Analysis
Collabora’s engineering team submits the software stack to Coverity Scan for Static Code Analysis regularly. We scan both C++ and JavaScript code, for automated defect detection and vulnerability identification.
Coverity Scan detects common low-level programming errors that can often result in a security vulnerability, including buffer and integer overflows, format string vulnerabilities and missing and insufficient validation data and string input. In Collabora’s codebase, Coverity typically captures unnecessary null checks and dereferenced points. This analysis is run against the latest development versions, which allows us to catch and fix defects well before they are released.
In regard to document security and bug-fixing, the engineering team operates two 24/7 document robustness testing campaigns:
Continuous Crash-testing
The primary purpose of using continuous crash testing is to assess the software resilience and recovery capabilities of Collabora Online. The testing process uses over 812,000 documents collected from multiple document sources, such as various bug tracking and defect management systems and internet forums. Excel documents alone amount to 545,000 files and it takes around four days for each test cycle to execute running on an Intel Xeon E5-2650 v4 (2.20GHz) CPU with 125GiBs memory.
For many formats we export the documents to multiple formats and reimport exported output. In this way, we are constantly verifying that no new code changes have been introduced that cause a crash on import of initial documents, export of those documents, and re-import of the exported documents. The findings are logged, and each failed import and export is reported. We extract the backtraces from the coredumps and address any issues that are found early in the development cycle.
A key component of Collabora’s continuous crash-testing programme is a long-term partnership with Adfinis—spanning over 12 years—which has invested in and donated hardware to advancing open-source document collaboration, digital sovereignty, and high-quality software reliability.
Continuous OSS-Fuzz Testing
Fuzzing has become integral to modern software development and a highly effective way of discovering critical vulnerabilities. Collabora Productivity uses the testing technique to fuzz documents with the OSS-Fuzz service.
OSS-Fuzz was a response by Google to the Heartbleed OpenSSL bug and automatically generates and tests malformed, unexpected, or random inputs to identify potential crashes, memory leaks, and exploitable vulnerabilities. We apply around 50 different fuzzing targets created by Collabora engineers, involving 49 different file formats, including more for obscure file formats, such as Microsoft Visio’s older file format (VSD) and Microsoft Publisher (PUB).
Collabora’s OSS-Fuzz builds use four different types of engine (including libfuzzer and honggfuzz) and configurations (such as address, memory and undefined behaviour sanitiser) to create 200 custom fuzzing processes which are run every day of the year and rebuilt twice a day.
The configuration is statically built with no dynamic libraries, which is recommended for performance reasons by OSS-Fuzz, and has a series of other fuzzing specific considerations, such as running without a configuration layer.
Collabora is constantly developing the testing process. For example, we have improved our PDF export fuzzing, where we look for crashes at layout and export to PDF phrase. We have also added a custom mutator in an effort to force only legitimate XML input to pass to the fuzzer and uncover issues we have not seen before.
Our document fuzzing applies evolution algorithms which constantly ‘breeds’ new files with newly introduced code paths in order to find flaws. Fuzzing watches the paths that are executed and automatically attempt to extend code coverage. Historically fuzzing has contributed to uncovering many potential flaws in newly written code during the development phase.
We continuously check the results and alert the relevant committer people when a change triggers a problem and re-attempt fuzzing again on the document, so we do as many tests as are possible. Mitigations for the flaws are allocated to the originator initially, but the Collabora engineering team frequently perform fixes to ensure that we capture issues early and long before release.
More Security Layers to Explore
As we have demonstrated, security is fundamental to how we build Collabora Productivity. But while we comply with internationally recognised organisational compliance certifications, including ISO 9001 and ISO 27001 certifications, and practice continuous automated testing, there is much more to the company’s multi-layered security onion. In Part 2, we will explore the three main components of Collabora Online’s (COOL’s) architecture and how we carefully apply the principle of least privilege to each software layer and continue to bolster our ‘security onion’ with isolation measures
Evaluate Collabora Online for your organisation today and try a pilot deployment of a document editor that keeps your data entirely within your control.
