[ISN] Homeland Security helps secure open-source code

Wed Jan 11 01:49:15 EST 2006

http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100-1002_3-6025579.html

By Joris Evers 
Staff Writer, CNET News.com
January 10, 2006

The U.S. Department of Homeland Security is extending the scope of its
protection to open-source software.

Through its Science and Technology Directorate, the department has
given $1.24 million in funding to Stanford University, Coverity and
Symantec to hunt for security bugs in open-source software and to
improve Coverity's commercial tool for source code analysis,
representatives for the three grant recipients told CNET News.com.

The Homeland Security Department grant will be paid over a three-year
period, with $841,276 going to Stanford, $297,000 to Coverity and
$100,000 to Symantec, according to San Francisco-based technology
provider Coverity, which plans to announce the award publicly on
Wednesday.

In the effort, which the government agency calls the "Vulnerability
Discovery and Remediation, Open Source Hardening Project," Stanford
and Coverity will build and maintain a system that does daily scans of
code contributed to popular open-source projects. The automated system
should be running by March, and the resulting database of bugs will be
accessible to developers, they said.

The data is meant to help secure open-source software, which is
increasingly used in critical systems, analysts said. Programmers
working on the Linux operating system, Apache Web server, BIND
Internet infrastructure software and Firefox browser, for example,
will be able to fix security vulnerabilities flagged by the system
before their code becomes part of a released application or operating
system.

"We're going to make automatic checking deeper and more thorough using
the latest research and apply this to the open-source infrastructure
to make it more robust," said Dawson Engler, an associate professor at
Stanford who is working on the project. "A lot of the nation's
critical computing infrastructure is open source, and it isn't really
checked in an automatic way."

Symantec will provide security intelligence and test the source code
analysis tool in its proprietary software environment, said Brian
Witten, the director of government research at the Cupertino, Calif.,
security software vendor.

"Our role here is to help Stanford and Coverity aim their research and
development to best help commercial software developers," Witten said.  
"By applying the Coverity tools to both open-source and proprietary
software, Coverity is getting feedback from two very different worlds
of software development."

Playing catch-up to commercial code

The project will expand an existing Coverity initiative that already
provides Linux developers with regular bug data.

"We will take that to the next level and pull together dozens of major
open-source projects, and do full analysis of those code bases,"  
Coverity co-founder David Park said.

Commercial software makers commonly use source code analysis tools,
either bought or homegrown, to vet their code before releasing a
product to market. However, such tools are often too expensive for
open-source developers, experts said. Instead, open-source programmers
eyeball each other's code or check their own work manually.

The effort will help put open-source development on a par with
commercial software efforts, Park said. "The open-source community
does not have access to those kinds of tools, so we are trying to
correct that to some extent," he said.

The list of open-source projects that Stanford and Coverity plan to
check for security bugs includes Apache, BIND, Ethereal, KDE, Linux,
Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said.

This could be a boon for open-source security, said Stacey Quandt, an
analyst with Aberdeen Group. "The benefit for open source is that it
enables it to be up to date with commercial technology innovation,"  
she said.

At the same time, proprietary software stands to gain as well, Quandt
said. "While these efforts will help secure open-source software, the
improvement in Coverity's tools can be used to also improve the
security of proprietary software," she said.

But the real winner is Coverity, Quandt said. The company's technology
is based on Stanford research, and Stanford's Engler is closely
affiliated with the business.

The project, while generally welcomed, has come in for some criticism
from the open-source community. The bug database should help make
open-source software more secure, but in a roundabout way, said Ben
Laurie, a director of the Apache Foundation who is also involved with
OpenSSL. A more direct way would be to provide the code analysis tools
to the open-source developers themselves, he said.

"It is regrettable that DHS has decided once more to ensure that
private enterprise profits from the funding, while the open-source
developers are left to beg for the scraps from the table," he said.  
"Why does the DHS think it is worthwhile to pay for bugs to be found,
but has made no provision to pay for them to be fixed?"

The Department of Homeland Security could not immediately comment.

Engler defended the initiative, noting that the Department of Homeland
Security is effectively paying for a commercial bug-checking tool to
be applied to open-source software.

"The money is going to provide them with things they need to fix the
bugs, which is bug reports. That is a lot better than they have now,
which is nothing," he said.

-=-

Scrubbing for bugs

List of open-source software to be analyzed in the Department of
Homeland Security-sponsored project.

Abiword Apache BerkeleyDB Bind Ethereal Firebird Firefox FreeBSD Gaim
Gimp Gtk+ Icecast Inetutils KDE Linux Mplayer MySQL OpenBSD OpenLDAP
OpenSSH OpenSSL OpenVPN Proftpd QT Samba Squid TCL TK wxGtk Xine Xmms
Xpdf

Source: Coverity