DHS Backs Open-Source Security

Department funds project to audit apps, maintain public database of bugs, defects.

The Department of Homeland Security plans to spend $1.24 million over three years to fund an ambitious software auditing project aimed at beefing up the security and reliability of several widely deployed open-source products.

The grant, called the Vulnerability Discovery and Remediation, Open Source Hardening Project, is part of a broad federal initiative to perform daily security audits of approximately 40 open-source applications, including Linux, Apache, MySQL and Sendmail.

The idea is to use source code analysis technology from San Francisco-based Coverity Inc. to pinpoint and correct security vulnerabilities and other potentially dangerous defects in key open-source packages.

Software engineers at Stanford University will manage the project and maintain a publicly available database of bugs and defects. Anti-virus vendor Symantec Corp. is providing guidance to help understand where security gaps might be in certain open-source projects.

"The government is now doing what private companies have been doing to make sure the software packages are secure and reliable for widespread deployment," said Rob Rachwald, senior director of marketing at Coverity.

In an interview with eWEEK, Rachwald said Stanford professor Dawson Engler will manage the code analysis, which involves an automated process of poring over millions of lines of code to find potential problems.

"Four years ago, Linux had 2 million lines of code. Today, thats up to 6 million lines of code. There are 75,000 different functions within the Linux kernel. Theres no way you can realistically go through that without having it automated in some way," Rachwald said.

Under the DHS-sponsored project, "well be testing 100 percent of your code base, going through each and every function to understand how those functions are related," Rachwald said.

The scans will pinpoint buffer overflows, memory allocation bugs and other vulnerabilities that are constant targets for malicious attacks. Rachwald said the audit will also pinpoint hidden security errors that compromise security without warning.

In addition to Linux, Apache, MySQL and Sendmail, the project will pore over the code bases for FreeBSD, Mozilla, PostgreSQL and the GTK (GIMP Tool Kit) library.

According to a recent study by The Mitre Corp., there are more than 230 open-source software packages already in use for critical operations within the federal government.

The U.S. Computer Emergency Readiness Teams 2005 year-end vulnerability statistics found a startling increase in flaws in Unix and Linux operating systems. The controversial data revealed 812 flaws in Microsoft Corp.s Windows, compared with 2,328 vulnerabilities in various Unix and Linux packages.