Monthly Archives

July 2015

Linux Foundation’s Core Infrastructure Initiative Launches New Census Project

By Announcements

Project Creates Methodology for Assessing Open Source Software in Need of Support 

San Francisco, July 9, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced The Census Project, a new program that analyzes popular open source projects to identify which ones are critical to Internet infrastructure and also most in need of additional support and funding.

The Heartbleed vulnerability in the open source software (OSS) program OpenSSL had widespread impact and serious ramifications. It led to the formation of the multi-million dollar Core Infrastructure Initiative backed by The Linux Foundation and industry leaders like Amazon Web Services, Facebook, Google, IBM, Microsoft.

The Census Project expands on the CII’s efforts to collaboratively identify and fund critical open source projects in need of assistance. It automates the collection and analysis of data on different open source projects, ultimately creating a risk score for each project based on the results. Projects with a higher ranking are especially in need of reinforcements and funding; and, as a result, CII will consider such projects priority candidates for funding. A high score means that the project may not be getting the attention that it deserves and that it merits further investigation.

“Measuring software security is an ongoing struggle that’s notoriously difficult given missing or messy data,” said Jim Zemlin, Executive Director at The Linux Foundation. “There’s no perfect set of metrics to guarantee that software is secure or not. The Census Project brings the power of the open source collaboration to help fill this massive gap, which will provide a useful barometer for assessing software from a security point of view.  We look forward to feedback on the effort in order to improve the census itself and subsequently the software that we all depend on for our privacy and security.”

With full source and data available on GitHub, developers and security experts are invited to participate in The Census Project, from experimenting with different metrics, providing corrected data, proposing new projects to include in the evaluation, and suggesting alternative formulas for combining the data. Anyone can issue a pull request with suggested changes from the most successful alternatives.

Who Oversees The Census Project and How is It Funded
The Census Project is coordinated by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA), a nonprofit organization that operates three federally funded research and development centers and exists to promote national security, preserve the public welfare, and advance scientific learning by analyzing, evaluating, and reporting on matters of interest to the United States Government.

Funded by CII and by the U.S. Department of Homeland Security Homeland Open Security Technology (DHS HOST) program for Georgia Tech Research Institute, IDA’s work is summarized in the new report “Open Source Software Projects Needing Security Investments,” which outlines past research and approaches used to calculate risk as well as Wheeler’s newest Census Project findings and methodology.

Supporting software for capturing data, sourced from the Black Duck Open HUB (formerly Ohloh), a free online community and public directory of free and open source software (FOSS), is written in Python by Samir Khakimov of IDA. The code is released under the open source MIT license.

Census Project Results 
The Census Project is examining a subset of Debian software packages, which are widely used, and other packages CII and Wheeler’s team identified as potentially concerning. Using this process, the project pinpointed software CII already funds, including OpenSSL, OpenSSH, NTP, and GnuPG.

“The Census Project aims to become an excellent framework for guiding CII funding to the projects most in need,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation. “CII members expect The Census Project to accelerate the process by which projects that are in need receive support and additional funds.”

How the Census Projects Works 
The Census Project automatically gathers important metrics, such as Common Vulnerabilities and Exposures (CVEs) filed and popularity, with a focus on less active projects. IDA and CII experts estimate a program’s exposure to attack using an algorithm to evaluate the data collected, which generates a list of projects that require more scrutiny. The algorithm also considers factors such as recent activity and if a project web site exists, to assign a risk index number ranging from 0-16.  Final results of this cumulative process are available online with the ability to sort software by risk score, CVE count, contributor count and popularity.

The Census Project is a key part of CII’s transition to move beyond point fixes toward more holistic, preemptive solutions for open source security. In addition to this new service, CII continues to fund key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, and face-to-face meeting coordination. The multi-million dollar project is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, Salesforce, and VMware.

Additional Resources
The Census Project
The Census Project on GitHub
Census Project Short Summary
“Open Source Software Projects Needing Security Investments,” by David A. Wheeler, Project Leader (Institute for Defense Analyses) & Samir Khakimov (Institute for Defense Analyses)

About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

Open Sourcing the Census Project

By Blogs

The Census  Project, developed by David Wheeler and Samir Khakimov of the Institute for Defense Analyses (IDA), goes live today! CII co-funded the Census Project to automate analysis on a large number of open source projects to come up with a quick way to prioritize which projects to look at more closely. The Census Project calculates a “risk score” based on a number of metrics about the project, some of which are relatively static (language, website, network access) and some of which change over time (contributor count and popularity).

The results are fascinating.The Census Project is very, very good at identifying projects which are still widely popular, but which are hardly maintained. This is the sweet spot for the Core Infrastructure Initiative to look into to try to identify lurking issues and help find a way to fix them before they become problems for our core infrastructure.

The development team did an amazingly comprehensive overview of prior art before settling on the metrics in the program (check it out yourself in Section 2 of the whitepaper), but it is fun to speculate and even experiment with alternative metrics. For example, Florian Weimer suggested including the Fedora ABRT crash statistics, which I think is an inspired idea because, in aggregate, the crash reports are less game-able than CVE counts, include a nod to popularity, and show whether or not potentially critical issues are actually being fixed by projects.

We hope that this is the beginning of the discussion about which (automatable) metrics are important to assessing a project’s risk. I would like to invite you to provide feedback on the project, propose new projects to assess, help clean up the input data, and experiment with different metrics.

A big thank you goes out to Black Duck’s Open Hub and the Debian project for allowing the Census Project to use data from their sites to perform the calculations.

For more information, you can visit the websitedownload the code, and read the paper (in short form if you are in a hurry).

Introducing Myself to the CII Community

By Blogs

I am very excited to be joining The Linux Foundation as the senior director of infrastructure security to work on The Core Infrastructure Initiative. The challenge of securing software is not new, nor is it isolated to open source. What is unique right now though is how everyone has increasingly come to rely upon shared code to foster innovation and speed time to market. Research shows 90 percent or more of modern applications, both commercial and non-commercial, contain third-party open source code. As adoption grows, we have to ensure that critical open source software is supported, protected, and fortified.

Fortunately, without a moment’s hesitation last year, many rallied around the Linux Foundation to create the Core Infrastructure Initiative, a multi-million dollar project comprised of technology companies, security experts and developers, all of whom are committed to working collaboratively to identify and fund critical open source projects in need of assistance.

This is an incredibly important time for CII. The stakes have never been higher for open source software. Working together, I believe CII has the potential to make a major impact on the security of technology that we all use every day. And CII has made a difference already. Since CII started, we’ve seen improvement in the bug closure rate on funded projects.

Open source software encompasses a whole range of projects, some of which have strong vibrant communities around them and some which scratched a single developer’s itch. Our mission is to identify which of the most critical projects are the weakest and would benefit from help to become stronger. Beyond the initial triage, we’ll be focusing on industry best practices for secure open source development to further foster a culture of secure coding practices.

CII recently announced nearly $500,000 in new grants to support three very different, but important projects: 1) a new testing project leveraging Frama-C, 2) the Reproducible Builds initiative from Debian, and 3) the Fuzzing Project. Tools can be very expensive to create and use but can be a very effective force multiplier. I hope that CII’s investments in tooling will pay off in improved security for many projects. With these investments, CII is moving beyond ad-hoc, reactionary bug fixes to advance tooling projects that a wide number of projects can leverage to proactively improve security.

I am grateful to the Linux Foundation and the CII Steering Committee for entrusting me with this mission. When I first heard of the creation of the Core Infrastructure Initiative back in April 2014, I took the long overdue step of joining the Linux Foundation as an individual member, never dreaming that I would get this opportunity to actively foster the initiative. I have been advocating for, using, and contributing to open source software for a long time. I believe that open source software is more secure than people give it credit for (especially during the dark days of Shellshock and Heartbleed) and simultaneously not secure enough – more must be done. Open source software is not unique in this regard. It is a pet peeve of mine when people make bold proclamations about the security of open source without acknowledging that there exists a wide range of requirements, capabilities and practices in open source projects, just as in closed source. What is important is that we all come together to make sure that our most critical open source software is being cared for at a level that will ensure that it is responsive to vulnerability disclosure, proactively identifying and refactoring problematic code, performing positive and negative testing appropriately, and using the best tools available.

Improving cyber security will never be light work; our members know that many hands are needed to dramatically reduce global threats to online security.  I’m honored to be working with the industry’s largest tech giants — Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware — on this critical endeavor.

CII is committed to fostering open source innovation and secure development practices. We have an amazing program in the making and we can make a difference. We need your help to make this work. Whether your interest is in best open source development practicessurveying open source communitiesdeveloping new toolssuggesting a grant or just general discussion about CII – we want to hear from you.

Thanks!

Emily Ratliff