DHS Gets Into Open Source

In what could be a nice boost to the open source software movement, the Department of Homeland Security (DHS) awarded a $1.24 million open source security testing grant to Coverity, Stanford University and Symantec.

The three-year grant, called the Vulnerability Discovery and Remediation Open Source Hardening Project, is part of a larger federal initiative by the DHS’s Science and Technology Directorate (DHS S&T) to foster the development and deployment of technologies to protect the nation’s telecommunications infrastructure, including the Internet and other critical networks that depend on computer systems for their mission.

Coverity will use the money to code-test 40 of the most commonly used open source software projects including Apache, FreeBSD, GTK, Linux, Mozilla, MySQL, PostgreSQL, with it’s Prevent software that uses static source code analysis to find various types of hidden security errors.

The audit results will be published daily on the Web and are intended to help the development community, industry and government both identify and correct security vulnerabilities in some of the most important and widely-used software in the world.

“Ten years ago code bases were a lot smaller and less complex so code audits and manual testing worked pretty effectively,” said David Park, vice president of Marketing & Business Development at Coverity. “But, in today’s world, … there’s only so much humans’ can do.”

Aside from assuring secure code Park believes the effort will only boost the adoption of open source code in government and the enterprise. And, perhaps more importantly, it will ensure code already in use does not have critical flaws that are only discovered by accident.

The open source operating system Linux, for example, has over six million lines of code that can lead to tens of millions of events. Manually testing for all those potential events is impossible. By automating the process, defective source code can be found more easily without have to wait for a one-of-kind event to trigger a problem.

“The conventional way of insuring security, which is the … firewalls, IDS software, is an important part but that’s not the whole story—especially with the size and complexity of today’s open source projects—they’re realizing that the problem also has to be attacked from the other stream, which is the source code.”

A 2002 study by the Mitre Corp. for the National Institute of Standards and Technology identified more than 230 open source software packages already in use for critical operations within the federal government.

That’s why (DHS) is behind it,” said Park.

Under the terms of the grant, Coverity and Stanford will build and maintain a system that automatically analyzes more than 40 open source software projects as a nightly regression and publishes defects it finds in a publicly-available bug database.