Homeland Security Studies Software Vulnerabilities
Homeland Security has partnered with two commercial, and one educational institution to study the disparity between vulnerabilities between commercial and open source software. This may verify or put to rest (to some degree at least) the argues from vendors such as MicroSoft that open source software, due to it’s open nature, is more prone to vulnerabilities. According to News.com:
the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity’s commercial tool for source code analysis….The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL….
Symantec is the provider of the Norton Internet Security tools which has a lot of prior and current vulnerability data and has a good practical understanding of threats and their reach in real world scenarios. This is a more objective measure, but does not really address the issue of general quality of code and the adherence to safe and well formed code.
Coverty is a source code auditing firm, they are well positioned to review source code and find previously undiscovered vulnerabilities and/or give subjective opinions on the level of quality of the source code and how likely it is that a particular set of code may prove to have vulnerabilities in the future. Now, the money is most likely going to be spent on the subjective end of things, the finding of previously undiscovered vulnerabilities will just be a bonus. (as ethically speaking they should be bound to reporting these to the appropriate parties)
I’m not sure what this research will discover, and I’m also skeptical that 1.24 million dollars is enough to actually complete a review of even just the list provided by the media, however, I welcome my tax dollars being spent on improving the standing of open source software within the government. Even if there are a number of vulnerabilities found, it will be firmer ground to start from when government agencies begin their research into deploying some of the staple products offered under open source licenses. I believe regardless the level of increased usage of open source will eventually save tax dollars that would otherwise unneedfully go to a commercial vendor.
