Contributing To Open Source Software Security

Monday, May 5, 2008 11:38 AM

From operating systems to web browsers, open source software plays a critical role in the operation of the Internet. The security of open source software is therefore quite important, as it often interacts with personal information -- ranging from credit card numbers to medical records -- that needs to be kept safe. There has been a long-lived discussion on whether open source software is inherently more secure than closed source software. While popular opinion has begun to tilt in favor of openness, there are still arguments for both sides. Instead of diving into those treacherous waters (or giving weight to the idea of "inherent security"), I'd like to focus on the fruits of this extensive discussion. In particular, David A. Wheeler laid out a "bottom line" in his Secure Programming for Linux and Unix HOWTO which applies to both open and closed source software. It predicates real security in software on three actions:

  1. people need to actually review the code

  2. developers/reviewers need to know how to write secure code

  3. once found, security problems need to be fixed quickly, and their fixes distributed quickly

While distilling anything down to three steps makes it seem easy, this isn't necessarily the case. Given how important open source software is to Google, we've attempted to contribute to this bottom line. As Chris said before, our engineers are encouraged to contribute both software and time to open source efforts. We regularly submit the results of our automated and manual security analysis of open source software back to the community, including related software engineering time. In addition, our engineering teams frequently release software under open source licenses. This software was written either with security in mind, such as with security testing tools, or by engineers well-versed in the security challenges of their project.

These efforts leave one area completely unaddressed -- getting security problems fixed quickly, and then getting those fixes distributed quickly. It has been unclear how to best resolve this issue. There is no centralized security authority for open source projects, and operating system distribution publishers are the best bet for getting updates to the highest number of users. Even if users can get updates in this manner, how should a security researcher contact a particular project's author? If there's a potential, security-related issue, who can help evaluate the risk for a project? What resources are there for projects that have been compromised, but have no operational security background?

I'm proud to announce that Google has sponsored participation in oCERT, the open source computer emergency response team. oCERT is a volunteer workforce of security professionals from the open source community with the goal of providing security vulnerability mediation and incident response services to open source projects. It will strive to contact software authors with all security reports and aid in debugging and patching, especially in cases where the author, or the reporter, doesn't have a background in security. Reliable contacts for projects, publishers, and vendors will be maintained where possible and used for notification when issues arise and fixes are available for mediated issues. Additionally, oCERT will aid projects of any size with responses to security incidents, such as server compromises.

It is my hope that this initiative will not only aid in remediating security issues in a timely fashion, but also provide a means for additional security contributions to the open source community.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.


Ruan said...
This comment has been removed by a blog administrator.
Casey said...

The "request a review" option is gone from my webmaster page for, and I need to remove the "This site may harm your computer" message now that the hack has been fixed. What should I do?

danyy said...

Hi this is danyy sorry to use this i came across your blog its very interesting your content also very nice if you like any design for your site like animated header at top of the blog i will provide you for free of cost in return i need link from your blog if interested please let me know.


Nima said...
This comment has been removed by a blog administrator.
Grove Group said...
This comment has been removed by a blog administrator.
aline said...

Olha eu adoro o orkut, mas eu vou dar uma opinião importante que eu sei que os outros usuários vão gostar.Seria bom que a gente tivesse a opÇão de escolher a cor do orkut,pois é muito chato se ter uma cor padrão para uma coisa que é da gente, sabe? Espero que gostem da idéia e ponha ela em ação.Obrigado desde já...

Roland said...
This comment has been removed by a blog administrator.
Roland said...
This comment has been removed by a blog administrator.
ememe said...

I' sorry to say oCERT was not helpful. In fact I'm really considering they are doing social engineering. In reviewing my open source project, Andrea Barisani was arrogant and dogmatic. oCERT claimed to have discovered a flaw, then they did such noise that every single virus witter would be aware of this flaw, then oCERT provided a patch that breaks functionality and proceeded to distribute this patch saying it was generated by project maintainer. Finally they announced an embargo and then they broken the embargo saying the info was leaked. Please, oCERT stay away of open source projects.

lcars said...

ememe: I don't know who are you nor what you are talking about. Provide more details if you want to make an informative post instead of just trolling.

oCERT never breaks embargo, if someone else involved in the process (oCERT is not the only party) leaks and breaks an embargo then it's oCERT duty to release an advisory as the information is public anyway.

oCERT doesn't do "social engineering" but this statement comments itself to be honest. Our reputation is well established, just look at our advisories and our members to get an idea.

If by chance you are referring to our last lcms advisory then you should probably read some comments from here:

as well as the advisory itself.

Your mention of "virus witter" (I assume you mean virus writers) is similiar to lcms maintainer.....go figure.

Andrea Barisani

Marti Maria said...

A friend pointed out this blog...

No, I was not who posted that crap. This is obviously a troll using some complains I did to create a flame war. My complains were about a patch, not about Andrea. I never got personal against Andrea. Also, I think this post is highly offensive.

I would have no problems signing my comments, even if those are strong words, as you probably already know.
Don't feed the troll.
Marti Maria