The widespread adoption of open-source software by corporations and governments has raised some security concerns in the U.S. Department of Homeland Security (DHS), and the agency is responding.
It has funded a three-year grant reportedly worth US$1.24 million to — among other things — set up a daily auditing program of major open-source applications. The grant money will be divvied up among its recipients, Stanford University of Palo Alto, Calif. ($841,276), Coverity of San Francisco ($297,000), and Symantec of Santa Monica, Calif. ($100,000).
“The DHS is realizing that more and more of our nation’s critical software infrastructure is being run on top of open source,” Coverity Vice President for Marketing and Business Development David Park told LinuxInsider.
“There’s a feeling that there must be a hardening of these software projects to make them more reliable and secure,” he said.
Killing the Bugs
Coverity’s bug-zapping program, Prevent, will be used to conduct the daily audits called for in the grant and post them to a secure, restricted-access Web site for developers.
More than 30 programs will be audited by Coverity, including Apache, Firebird, Firefox, Gimp, Linux, MySQL, OpenSSH, OpenVPN and Samba.
In addition to paying for the daily vulnerability audits, the grant will be used to develop filesystem-checking tools for contribution to the open-source community, according to Professor Dawson Engler, who is administering Stanford’s portion of the DHS money.
The tools will find bugs in storage systems, like RAID, that can crash and corrupt a system, he added.
Symantec could not be reached for comment on its role in utilization of the grant. However, the computer security firm will be working with Coverity “on market validation and some intelligence on what customers want and don’t want in terms of security stuff,” Engler told LinuxInsider.
“They will serve as a conduit for us to get a bunch of security trials at companies that may be happy to talk to Symantec but not to some random startup,” he said.
“They will also get validation from the market,” Engler added. “DHS doesn’t want to fund commercialization of something that’s going to flop, so Symantec’s job is to make sure that what we produce will actually make money and help the government and private industry.”
Some Community Members Miffed
Tools have been available to open-source developers for years to address flaws in the programs, according to Michael Gavin, a senior analyst for Forrester Research. “One thing that I’ve been surprised and disappointed by was that they were not used more broadly,” he told LinuxInsider.
“Now that people are relying on open source, especially for so many servers, the Department of Homeland Security is stepping up and saying, ‘we rely on them, and we need to make sure that they’re more secure.'”
After news of the grant was made public, the DHS came under fire from some corners of the open-source world for its willingness to fund the search for bugs in open-source software despite its reluctance to pay for fixing the bugs exposed by Coverity’s efforts.
“Open-source people have done a lot of stuff that’s been good, and they haven’t been paid for it,” Gavin noted.
“It is a little surprising that a private company is getting funded for this,” Gavin continued. “If it had just gone to Stanford, that’s one thing. But going to Stanford, Symantec and Coverity — that’s a little strange.
“It’s not bad that somebody is putting money into it,” he said. “To me, it’s a little questionable as to how they decided who gets the money.”
Addressing vulnerabilities in open-source software is a good thing, agreed Djenana Campara, CTO and chairperson of Klocwork, a software quality and security firm in Burlington, Mass.
“I’m really glad that Homeland Security is investing in these types of activities,” she told LinuxInsider. “What I don’t understand and can’t comprehend is why they’re funding the development of a particular vendor who is known in the quality defect detection space and now they’re crossing into security — so they’re going to use this grant to develop their security offering.”
However, Coverity has already established a presence in the security space, noted Jack Danahy, CTO and founder of Ounce Labs, a software quality and security company in Waltham, Mass.
“They focus on quality and security in a limited number of platforms versus a broader approach,” he told LinuxInsider.
“They’ve been in security for a while,” he added. “They’re a credible player for the security problems that they find.”
DHS could not be reached for comment.
I can understand the fundimental paranoia about it, but this: "Coverity’s bug-zapping program, Prevent, will be used to conduct the daily audits called for in the grant and post them to a secure, restricted-access Web site for developers." is bullshit. Open source advances and fixes its bugs by making *everyone* a developer. How the hell do you restrict access to information about vulnerabilities to developers, when those developers could be everyone from Red Hat to the 13 year old that just happened to wake up one morning with a briliant idea for network security and wrote it on the computer he shares with his 8 brothers and sisters? I think they are being stupidly clueless about this one factor, even if the idea is generally sound.