DHS Funds Open-Source Security Project

gasownerData Management

Jan 31, 2013 (4 years and 4 months ago)

115 views

SE 386 Software Maintenance and Reengineering

Notes 010


Outsourcing



rowemi

Page
1

3/18/2013 1:17:00 AM



DHS Funds Open
-
Source Security Project


By

Ryan Naraine


January 11, 2006

http://www.eweek.com/article2/0,1895,1909946,00.asp








The U.S. government's Department of Homeland Security plans to spend $1.24 million over
three years to fund an ambitious software auditing project aimed at beefing up the security
and reliability of several widely deployed open
-
source products.

The grant
, called the "Vulnerability Discovery and Remediation Open Source Hardening
Project," is part of a broad federal initiative to perform daily security audits of approximately
40 open
-
source software packages, including Linux, Apache, MySQL and Sendmail.

Th
e plan is to use source code analysis technology from San Francisco
-
based Coverity Inc. to
pinpoint and correct security vulnerabilities and other potentially dangerous defects in key
open
-
source packages.

Software engineers at Stanford University will ma
nage the project and maintain a publicly
available database of bugs and defects.

Anti
-
virus vendor Symantec Corp. is providing guidance as to where security gaps might be in
certain open
-
source projects.

Click here

to read more about the DHS' IT security concerns.


"The government is now doing what private companies have been doing to make sure the
software packages are secure and reliable f
or widespread deployment," said Rob Rachwald,
senior director of marketing at Coverity.

In an interview with eWEEK, Rachwald said Stanford professor Dawson Engler will manage the
code analysis, which involves an automated process of poring over millions o
f lines of code to
find potential problems.

"Four years ago, Linux had 2 million lines of code. Today, that's up to 6 million lines of code.
There are 75,000 different functions within the Linux kernel. There's no way you can
realistically go through that

without having it automated in some way," Rachwald said.

Under the DHS
-
sponsored project, "We'll be testing 100 percent of your code base, going
through each and every function to understand how those functions are related," he said.

The DHS criticizes the security of FEMA's Emergency Preparedness and Response
database. Read more
here.


The scans will pinpoint buffer overflows, memory allocation bugs and other vulnerabilities that
are a
constant target for malicious hacking attacks.

Rachwald said the audit will also pinpoint hidden security errors that compromise security
without warning.

In addition to Linux, Apache,
MySQL and Sendmail, the project will also pore over the code
SE 386 Software Maintenance and Reengineering

Notes 010


Outsourcing



rowemi

Page
2

3/18/2013 1:17:00 AM


bases for FreeBSD, Mozilla, PostgreSQL and the GTK (GIMP Tool Kit) library.

According to a recent study by the Mitre Corp., there are more than 230 open
-
source software
packages already in use f
or critical operations within the federal government.

US
-
CERT's (United States Computer Emergency Readiness Team) 2005 year
-
end vulnerability
statistics found a startling increase in flaws in Unix/Linux operating systems. The controversial
data revealed 8
12 flaws in Windows, compared with 2,328 vulnerabilities in various Unix/Linux
packages.