A government-funded initiative aims to organize the efforts of critical code reviewers and boost the frequency with which programmers critique the code of others.
Funded by the Defense Advanced Research Project Agency, the same organization to initially bankroll the predecessor to the Internet, the Sardonix Audit Portal aims to be the one-stop portal for organizing the efforts of critical code reviewers everywhere and boost the frequency with which programmers critique the code of others.
"It's my belief that the programs are getting audited a lot less than people think," said Crispin Cowan, chief scientist at secure Linux maker WireX Communications and the co-founder of Sardonix. "The Linux kernel is probably getting a decent audit while Mozilla is not getting audited enough. But all of that is a guess, and this is about measuring it."
Software security holes caused by a lack of proper review don't plague just the open-source world. Last month, after a memo from Microsoft Chairman Bill Gates directing the software giant's programmers to make security the No. 1 priority, top execs said the company would spend three to four weeks training its developers in secure coding techniques and auditing existing code.
The open-source community has had such an initiative in place for several years, but it has largely failed, Cowan said.
In 1998, Linux developers started the Linux Security Audit Project to push security experts to critique open-source programs and look for software bugs, but very little code ended up actually being reviewed, and the mailing list quickly morphed into an ongoing discussion of Linux security.
The potential of open-source programs to be extremely secure wasn't being met, Cowan said. "The promise of open source is that it enables many eyes to look at the code, but in reality, that doesn't happen," he said.
Now, Cowan and DARPA hope the Sardonix Audit Portal will help Linux and open-source software reorient itself toward better security.
To that end, the Sardonix site maintains a list of major unaudited programs as well as those that have been reviewed. As security experts finish auditing an application, it will get moved to the audited list.
The site also has a reference section listing open-source tools that can be used for analyzing a program for software bugs and helping developers write more secure programs.
Finally, Cowan intends to create a system to rate programmers who audit code, based on how well they have done in the past.
Other security researchers said the initiative sounds worthwhile in theory.
"Any code is definitely going to benefit from another pair of qualified eyes on it," said Greg Shipley, director of consulting services for computer security firm Neohapsis. "The keyword there is qualified, however."
Shipley stressed that while open-source software may have been picked at by more people than, say, your average Microsoft program, few of those programmers are knowledgeable about secure coding.
Theo de Raadt, founder project leader of another open-source Unix variant, OpenBSD, said that the Linux development process has problems that code review may not fix.
"Linux has some diseases in the land of security," he said. "Featuritis in low-level code is growing out of control, almost to Microsoft levels, and this is just plain complexity that becomes difficult to control quality in."
The fundamental libraries used by programmers don't get audited enough, and security technologies do not always get picked up by the project leaders, known as maintainers.
DARPA has funded a large number of open-source security projects. In July, the government agency granted $1.2 million to a community project aimed at adding security features to FreeBSD. Eleven other projects, including the Sardonix Audit Portal, were funded.
As part of the DARPA-accepted proposal, WireX will also release two other software packages into the open-source community. StackGuard is an enhancement to the open-source C program compiler that produces programs that are resistant to buffer overflow attacks, according to WireX's proposal. The company also intends to release new domain-name server software, called OpenBIND, after the maintainers of the current most popular program decided to be more close-mouthed about security.