DHS funds effort to find flaws in open source

17.01.2006
The U.S. Department of Homeland Security is funding a US$1.24 million project that is designed to improve the security of open-source software.

The plans calls for source-code analysis vendor Coverity Inc. and Stanford University to build and maintain a publicly available database of the bugs they find in more than 40 open-source technologies, including Linux, FreeBSD, Apache, Mozilla and MySQL.

San Francisco-based Coverity said the database will include information gathered from automated daily scans of the open-source software using its Prevent code-analysis tool. Registered users should be able to access the database from Coverity's Web site starting in about three months. Security vendor Symantec Corp. will help analyze the results of the scans. Stanford will get $841,276 from the DHS over the next three years, while Coverity and Symantec will receive $297,000 and $100,000, respectively.

Dawson Engler, a computer science professor at Stanford, said the DHS's Open Source Hardening Project should produce a more formal approach for finding bugs in open-source code.

"The commercial side is using all the automated tools they can to find bugs in their products," he said. "You don't see the same kind of effort on the open-source side."

The goal is twofold, said Rob Rachwald, director of marketing at Coverity. First, government officials are "seeing an increased use of open-source, and they want to harden the code," Rachwald said. Second, he added, the data-base is designed to give the open-source community improved access to bug information so developers can make the products they're working on more secure.