Project Creates Methodology for Assessing Open Source Software in Need of Support
San Francisco, July 9, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced The Census Project, a new program that analyzes popular open source projects to identify which ones are critical to Internet infrastructure and also most in need of additional support and funding.
The Heartbleed vulnerability in the open source software (OSS) program OpenSSL had widespread impact and serious ramifications. It led to the formation of the multi-million dollar Core Infrastructure Initiative backed by The Linux Foundation and industry leaders like Amazon Web Services, Facebook, Google, IBM, Microsoft.
The Census Project expands on the CII’s efforts to collaboratively identify and fund critical open source projects in need of assistance. It automates the collection and analysis of data on different open source projects, ultimately creating a risk score for each project based on the results. Projects with a higher ranking are especially in need of reinforcements and funding; and, as a result, CII will consider such projects priority candidates for funding. A high score means that the project may not be getting the attention that it deserves and that it merits further investigation.
“Measuring software security is an ongoing struggle that’s notoriously difficult given missing or messy data,” said Jim Zemlin, Executive Director at The Linux Foundation. “There’s no perfect set of metrics to guarantee that software is secure or not. The Census Project brings the power of the open source collaboration to help fill this massive gap, which will provide a useful barometer for assessing software from a security point of view. We look forward to feedback on the effort in order to improve the census itself and subsequently the software that we all depend on for our privacy and security.”
With full source and data available on GitHub, developers and security experts are invited to participate in The Census Project, from experimenting with different metrics, providing corrected data, proposing new projects to include in the evaluation, and suggesting alternative formulas for combining the data. Anyone can issue a pull request with suggested changes from the most successful alternatives.
Who Oversees The Census Project and How is It Funded
The Census Project is coordinated by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA), a nonprofit organization that operates three federally funded research and development centers and exists to promote national security, preserve the public welfare, and advance scientific learning by analyzing, evaluating, and reporting on matters of interest to the United States Government.
Funded by CII and by the U.S. Department of Homeland Security Homeland Open Security Technology (DHS HOST) program for Georgia Tech Research Institute, IDA’s work is summarized in the new report “Open Source Software Projects Needing Security Investments,” which outlines past research and approaches used to calculate risk as well as Wheeler’s newest Census Project findings and methodology.
Supporting software for capturing data, sourced from the Black Duck Open HUB (formerly Ohloh), a free online community and public directory of free and open source software (FOSS), is written in Python by Samir Khakimov of IDA. The code is released under the open source MIT license.
Census Project Results
The Census Project is examining a subset of Debian software packages, which are widely used, and other packages CII and Wheeler’s team identified as potentially concerning. Using this process, the project pinpointed software CII already funds, including OpenSSL, OpenSSH, NTP, and GnuPG.
“The Census Project aims to become an excellent framework for guiding CII funding to the projects most in need,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation. “CII members expect The Census Project to accelerate the process by which projects that are in need receive support and additional funds.”
How the Census Projects Works
The Census Project automatically gathers important metrics, such as Common Vulnerabilities and Exposures (CVEs) filed and popularity, with a focus on less active projects. IDA and CII experts estimate a program’s exposure to attack using an algorithm to evaluate the data collected, which generates a list of projects that require more scrutiny. The algorithm also considers factors such as recent activity and if a project web site exists, to assign a risk index number ranging from 0-16. Final results of this cumulative process are available online with the ability to sort software by risk score, CVE count, contributor count and popularity.
The Census Project is a key part of CII’s transition to move beyond point fixes toward more holistic, preemptive solutions for open source security. In addition to this new service, CII continues to fund key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, and face-to-face meeting coordination. The multi-million dollar project is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, Salesforce, and VMware.
The Census Project
The Census Project on GitHub
Census Project Short Summary
“Open Source Software Projects Needing Security Investments,” by David A. Wheeler, Project Leader (Institute for Defense Analyses) & Samir Khakimov (Institute for Defense Analyses)
About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.