DHS finds flaws in 180 open source software projects
Is Linux and open source software really more 'secure' than commercial software products? Maybe, yet maybe not. The US Dept. of Homeland Security and two research partners have now detected significant flaws in Samba, Python, Perl, and about 180 other open source projects -- but fixes are on the way.
Although some have claimed that Linux and other open source projects are more "secure" than commercial software, a bug-finding program sponsored by the US Department of Homeland Security (DHS) has now discovered significant flaws in 180 different open source software projects.
Conducted for the DHS by Coverity and Stanford University, the DHS's Open Source Hardening Project has been analyzing code for potential security vulnerabilities and quality defects in 250 different open source projects since 2006.
The 250 projects analyzed produce some of the world's most popular open source applications, including the Linux operating system; the Apache Web Server; the Firefox Web browser; and Samba, an open source implementation of Server Message Block (SMB), a protocol used by Microsoft Windows for file and print services.
One of the reasons why open source software is sometimes viewed as more secure is that the code is created by teams of developers from multiple organizations -- some of them volunteers -- who work collaboratively, sharing applications and bug fixes.
Nevertheless, out of the 180 projects found by Coverity to have significant defects, only 11 of them have so far been advanced by Coverity to the second stage of bug cleansing, dubbed "Rung 2," with some others expected to reach that level within the next few months.
The 11 projects now being graduated to Rung 2 include Samba; Amanda; Perl; Overdose; OpenVPN; OpenPAM; PHP; Postfix; TCL; Overdose; NTP; and Python.
Other projects, however, are still either at Rung 1 in the process, or even worse, at Rung 0, meaning that they haven't even gotten started yet on bug fixing.
Open source development is especially widespread in government, partly because of cost, but also because government agencies can be especially sensitive to avoiding vendor lock-in. And this isn't the first time that a federal agency has gotten involved in trying to bolster software quality and security.
Over the years, a number of "hardened" Linux distribution and kernels have been created for use in government agencies and other high security environments. One of these, seLinux, was spearheaded by the National Security Agency (NSA), for example.
Now, another federal government agency -- the National Institute of Science and Technology (NIST) -- is reportedly working with the University of Texas, Arlington on readying a new approach to open source flaw detection, known as "combinatorial testing."
The new approach is aimed at saving time for developers by generating tests to explore interactions among all of the various settings -- such as "on" and "off" -- of multiple variables related to software commands.
Combinatorial testing is foreseen as especially useful in improving the security and functionality of Web sites, interactive voice response (IVR) systems, industrial process controls, and other software applications with lots of different variables.
Researchers at NIST and the University of Texas reportedly plan to release the new testing tool early this year, after a period of beta testing.