DHS Funds Open-Source Security Project

gasownerData Management

Jan 31, 2013 (5 years and 5 months ago)


SE 386 Software Maintenance and Reengineering

Notes 010




3/18/2013 1:17:00 AM

DHS Funds Open
Source Security Project


Ryan Naraine

January 11, 2006


The U.S. government's Department of Homeland Security plans to spend $1.24 million over
three years to fund an ambitious software auditing project aimed at beefing up the security
and reliability of several widely deployed open
source products.

The grant
, called the "Vulnerability Discovery and Remediation Open Source Hardening
Project," is part of a broad federal initiative to perform daily security audits of approximately
40 open
source software packages, including Linux, Apache, MySQL and Sendmail.

e plan is to use source code analysis technology from San Francisco
based Coverity Inc. to
pinpoint and correct security vulnerabilities and other potentially dangerous defects in key
source packages.

Software engineers at Stanford University will ma
nage the project and maintain a publicly
available database of bugs and defects.

virus vendor Symantec Corp. is providing guidance as to where security gaps might be in
certain open
source projects.

Click here

to read more about the DHS' IT security concerns.

"The government is now doing what private companies have been doing to make sure the
software packages are secure and reliable f
or widespread deployment," said Rob Rachwald,
senior director of marketing at Coverity.

In an interview with eWEEK, Rachwald said Stanford professor Dawson Engler will manage the
code analysis, which involves an automated process of poring over millions o
f lines of code to
find potential problems.

"Four years ago, Linux had 2 million lines of code. Today, that's up to 6 million lines of code.
There are 75,000 different functions within the Linux kernel. There's no way you can
realistically go through that

without having it automated in some way," Rachwald said.

Under the DHS
sponsored project, "We'll be testing 100 percent of your code base, going
through each and every function to understand how those functions are related," he said.

The DHS criticizes the security of FEMA's Emergency Preparedness and Response
database. Read more

The scans will pinpoint buffer overflows, memory allocation bugs and other vulnerabilities that
are a
constant target for malicious hacking attacks.

Rachwald said the audit will also pinpoint hidden security errors that compromise security
without warning.

In addition to Linux, Apache,
MySQL and Sendmail, the project will also pore over the code
SE 386 Software Maintenance and Reengineering

Notes 010




3/18/2013 1:17:00 AM

bases for FreeBSD, Mozilla, PostgreSQL and the GTK (GIMP Tool Kit) library.

According to a recent study by the Mitre Corp., there are more than 230 open
source software
packages already in use f
or critical operations within the federal government.

CERT's (United States Computer Emergency Readiness Team) 2005 year
end vulnerability
statistics found a startling increase in flaws in Unix/Linux operating systems. The controversial
data revealed 8
12 flaws in Windows, compared with 2,328 vulnerabilities in various Unix/Linux