美国国家安全局投资开源安全项目
chinaop...@gmail.com
The U.S. government's Department of Homeland Security plans to spend
$1.24 million over three years to fund an ambitious software auditing
project aimed at beefing up the security and reliability of several
widely deployed open-source products.
The grant, called the "Vulnerability Discovery and Remediation Open
Source Hardening Project," is part of a broad federal initiative to
perform daily security audits of approximately 40 open-source software
packages, including Linux, Apache, MySQL and Sendmail.
The plan is to use source code analysis technology from San
Francisco-based Coverity Inc. to pinpoint and correct security
vulnerabilities and other potentially dangerous defects in key
open-source packages.
Software engineers at Stanford University will manage the project and
maintain a publicly available database of bugs and defects.
Anti-virus vendor Symantec Corp. is providing guidance as to where
security gaps might be in certain open-source projects.
Click here to read more about the DHS' IT security concerns.
"The government is now doing what private companies have been doing to
make sure the software packages are secure and reliable for widespread
deployment," said Rob Rachwald, senior director of marketing at
Coverity.
In an interview with eWEEK, Rachwald said Stanford professor Dawson
Engler will manage the code analysis, which involves an automated
process of poring over millions of lines of code to find potential
problems.
"Four years ago, Linux had 2 million lines of code. Today, that's up to
6 million lines of code. There are 75,000 different functions within
the Linux kernel. There's no way you can realistically go through that
without having it automated in some way," Rachwald said.
Under the DHS-sponsored project, "We'll be testing 100 percent of your
code base, going through each and every function to understand how
those functions are related," he said.
The DHS criticizes the security of FEMA's Emergency Preparedness and
Response database. Read more here.
The scans will pinpoint buffer overflows, memory allocation bugs and
other vulnerabilities that are a constant target for malicious hacking
attacks.
Rachwald said the audit will also pinpoint hidden security errors that
compromise security without warning.
In addition to Linux, Apache, MySQL and Sendmail, the project will also
pore over the code bases for FreeBSD, Mozilla, PostgreSQL and the GTK
(GIMP Tool Kit) library.
According to a recent study by the Mitre Corp., there are more than 230
open-source software packages already in use for critical operations
within the federal government.
US-CERT's (United States Computer Emergency Readiness Team) 2005
year-end vulnerability statistics found a startling increase in flaws
in Unix/Linux operating systems. The controversial data revealed 812
flaws in Windows, compared with 2,328 vulnerabilities in various
Unix/Linux packages.
Check out eWEEK.com's Security Center for the latest security news,
reviews and analysis. And for insights on security coverage around the
Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's
Weblog.