January 10, 2006 5:05 PM PST

Homeland Security helps secure open-source code

The U.S. Department of Homeland Security is extending the scope of its protection to open-source software.

Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com.

The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.

Scrubbing for bugs

List of open-source software to be analyzed in the Department of Homeland Security-sponsored project.

Abiword
Apache
BerkeleyDB
Bind
Ethereal
Firebird
Firefox
FreeBSD
Gaim
Gimp
Gtk+
Icecast
Inetutils
KDE
Linux
Mplayer
MySQL
OpenBSD
OpenLDAP
OpenSSH
OpenSSL
OpenVPN
Proftpd
QT
Samba
Squid
TCL
TK
wxGtk
Xine
Xmms
Xpdf

Source: Coverity

In the effort, which the government agency calls the "Vulnerability Discovery and Remediation, Open Source Hardening Project," Stanford and Coverity will build and maintain a system that does daily scans of code contributed to popular open-source projects. The automated system should be running by March, and the resulting database of bugs will be accessible to developers, they said.

The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

"We're going to make automatic checking deeper and more thorough using the latest research and apply this to the open-source infrastructure to make it more robust," said Dawson Engler, an associate professor at Stanford who is working on the project. "A lot of the nation's critical computing infrastructure is open source, and it isn't really checked in an automatic way."

Symantec will provide security intelligence and test the source code analysis tool in its proprietary software environment, said Brian Witten, the director of government research at the Cupertino, Calif., security software vendor.

"Our role here is to help Stanford and Coverity aim their research and development to best help commercial software developers," Witten said. "By applying the Coverity tools to both open-source and proprietary software, Coverity is getting feedback from two very different worlds of software development."

Playing catch-up to commercial code
The project will expand an existing Coverity initiative that already provides Linux developers with regular bug data.

"We will take that to the next level and pull together dozens of major open-source projects, and do full analysis of those code bases," Coverity co-founder David Park said.

Commercial software makers commonly use source code analysis tools, either bought or homegrown, to vet their code before releasing a product to market. However, such tools are often too expensive for open-source developers, experts said. Instead, open-source programmers eyeball each other's code or check their own work manually.

The effort will help put open-source development on a par with commercial software efforts, Park said. "The open-source community does not have access to those kinds of tools, so we are trying to correct that to some extent," he said.

The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said.

This could be a boon for open-source security, said Stacey Quandt, an analyst with Aberdeen Group. "The benefit for open source is that it enables it to be up to date with commercial technology innovation," she said.

At the same time, proprietary software stands to gain as well, Quandt said. "While these efforts will help secure open-source software, the improvement in Coverity's tools can be used to also improve the security of proprietary software," she said.

But the real winner is Coverity, Quandt said. The company's technology is based on Stanford research, and Stanford's Engler is closely affiliated with the business.

The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said.

"It is regrettable that DHS has decided once more to ensure that private enterprise profits from the funding, while the open-source developers are left to beg for the scraps from the table," he said. "Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"

The Department of Homeland Security could not immediately comment.

Engler defended the initiative, noting that the Department of Homeland Security is effectively paying for a commercial bug-checking tool to be applied to open-source software.

"The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," he said.

10 comments

Join the conversation!
Add your comment
Why Symantec?
While they have domain expertise in Windows security, they clearly have no record with Linux (and their media releases re Linux indicate fundamental lack of knowledge in this domain).
Posted by Zymurgist (397 comments )
Reply Link Flag
Same reason as always
Unfortunately, government is like corporations in this area: They don't know what they want, they want what they know.
Posted by TheReaperD (189 comments )
Link Flag
Homeland Security, eh?
So...Homeland Security is giving a nice little hunk of change to open sourcing. Such "generosity" in the wake of illegally mining our private information, calls, etc., begs the question "Why?" Is this another attempt to gather information on us? This corrupt government does not go around giving gifts. Better take another look at this "trojan horse"!
Posted by domino7 (2 comments )
Reply Link Flag
This Is Nothing New
Back when DARPA was first building the Internet, they helped fund Univ of California at Berkeley's networking extensions to UNIX. These were released under the BSD license, which led to them being adopted by nearly every proprietary and open source operating system around. And do not forget the OpenBSD project (which received some funding from the NSA) and other security-related work funded by the security apparatus. Because open source is the central part of the Internet, it is standard for security agencies to help enhance such software.
Posted by walt121 (4 comments )
Link Flag
MS probably won't like this
Now this is another marketing line for open source software you know. "Use Linux, we get bug reviews by the Department of Homeland Security daily!"
Posted by rmjb (28 comments )
Reply Link Flag
RE: MS Probably Won't Like This
MS has software that has passed the "Orange Book" certification, so they won't care much.
Posted by walt121 (4 comments )
Link Flag
Confusing
I admit I'm not an expert on open source, but advocates of open source often tout the ability of the code to be peer reviewed, therefore ensuring quality and security. So this effort wouldn't seem to make sense. Or, why not have NIST look into it?

Also, since Symantec is in the business of computer security, then why wouldn't their R&D practices already be examining the popular open source packages without needing government funding?
Posted by R. U. Sirius (745 comments )
Reply Link Flag
Are there no open source source code analysis tools?
Are there no open source source code analysis tools? Why? Perhaps now there would be increased interest and someone would start such a project.
Posted by hadaso (468 comments )
Reply Link Flag
Open Source tools are available
Yes there are, see David Wheeler's Flawfinder, which also links to other Open Source tools: <a class="jive-link-external" href="http://www.dwheeler.com/flawfinder/" target="_newWindow">http://www.dwheeler.com/flawfinder/</a>
Posted by mkgavin (1 comment )
Link Flag
Homeland\Open-source
Well, there goes that beautiful dream. Welcome to the NSA, The World-Wide Server with special computing apps for all your needs. Use our new e-mail/voip software and funnel all your text and voice communications directly to us. No middle man.
E-Ghads
Posted by aqvanavt (17 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.