Homeland Security helps secure open-source code

The U.S. Department of Homeland Security is extending the scope of its protection to open-source software.

Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com.

The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.

In the effort, which the government agency calls the "Vulnerability Discovery and Remediation, Open Source Hardening Project," Stanford and Coverity will build and maintain a system that does daily scans of code contributed to popular open-source projects. The automated system should be running by March, and the resulting database of bugs will be accessible to developers, they said.

The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

"We're going to make automatic checking deeper and more thorough using the latest research and apply this to the open-source infrastructure to make it more robust," said Dawson Engler, an associate professor at Stanford who is working on the project. "A lot of the nation's critical computing infrastructure is open source, and it isn't really checked in an automatic way."

Symantec will provide security intelligence and test the source code analysis tool in its proprietary software environment, said Brian Witten, the director of government research at the Cupertino, Calif., security software vendor.

"Our role here is to help Stanford and Coverity aim their research and development to best help commercial software developers," Witten said. "By applying the Coverity tools to both open-source and proprietary software, Coverity is getting feedback from two very different worlds of software development."

Playing catch-up to commercial code
The project will expand an existing Coverity initiative that already provides Linux developers with regular bug data.

"We will take that to the next level and pull together dozens of major open-source projects, and do full analysis of those code bases," Coverity co-founder David Park said.

Commercial software makers commonly use source code analysis tools, either bought or homegrown, to vet their code before releasing a product to market. However, such tools are often too expensive for open-source developers, experts said. Instead, open-source programmers eyeball each other's code or check their own work manually.

The effort will help put open-source development on a par with commercial software efforts, Park said. "The open-source community does not have access to those kinds of tools, so we are trying to correct that to some extent," he said.

The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said.

This could be a boon for open-source security, said Stacey Quandt, an analyst with Aberdeen Group. "The benefit for open source is that it enables it to be up to date with commercial technology innovation," she said.

At the same time, proprietary software stands to gain as well, Quandt said. "While these efforts will help secure open-source software, the improvement in Coverity's tools can be used to also improve the security of proprietary software," she said.

But the real winner is Coverity, Quandt said. The company's technology is based on Stanford research, and Stanford's Engler is closely affiliated with the business.

The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said.

"It is regrettable that DHS has decided once more to ensure that private enterprise profits from the funding, while the open-source developers are left to beg for the scraps from the table," he said. "Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"

The Department of Homeland Security could not immediately comment.

Engler defended the initiative, noting that the Department of Homeland Security is effectively paying for a commercial bug-checking tool to be applied to open-source software.

"The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," he said.