Announcements

Two Prominent Cyber Security Authorities Become New CII Advisory Board Members

Seattle, LinuxCon/CloudOpen North America, August 18, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced it is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software.

The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA) and is also coordinating the CII’s Census Project, and Dan Kohn, a senior adviser on the CII.

Virtually every industry and business leverages open source, and is therefore more interconnected and dependent on it than ever before. Despite its prevalence, trying to quickly determine the best maintained and most secure open source to use is a complex problem for both seasoned CIOs and nimble developers. The self-assessment, and the badges that will follow, are designed to be a simple, fairly basic way for projects to showcase their commitment to security and quality. The criteria is also meant to encourage open source software (OSS) projects to take positive steps with both in mind and to help users know which projects are taking these positive steps.

Established in 2014 in response to the Heartbleed vulnerability, CII is a multi-million dollar project that funds and supports critical elements of the global information infrastructure. Moving beyond funding projects, CII is introducing pre-emptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices.

“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure.”

Projects that follow best practices can still have vulnerabilities, other bugs, and other kinds of problems, but they should be a better position to prevent, detect and fix them.  For example, many practices suggest a multi-person review, which can help find otherwise hard-to-find vulnerabilities. Currently the criteria include general best practices combined with questions specific to security. The questionnaire asks if a project includes an OSS license; a public version-controlled source repository; a general mailing list; an automated regression test suite; and at least one static analysis tool applied to source code to look for vulnerabilities.

CII Adds Two New Advisory Board Members

Adam Shostack is a technologist, entrepreneur, author and game designer. He’s a member of the BlackHat Review Board and helped found the Common Vulnerabilities and Exposures (CVE) and many other things.  He’s been sharing knowledge about developing secure software since 1996.  While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of Microsoft’s SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game.  Adam is the author of “Threat Modeling: Designing for Security,” and the co-author of “The New School of Information Security.” For more on Adam, see adam.shostack.org.

The second new CII advisory board member is Tom Ritter, Practice Director of Cryptography Services, part of NCC Group, where he performs application penetration testing and cryptographic analysis for multiple platforms and environments. He has spent several years leading application security assessments and research on everything from browsers to embedded cell towers, and before that worked as a developer in the financial services sector. Some of his public work can be seen at security conferences in Europe, North and South America and in managing NCC Group’s work with the Open Technology Fund and the Open Crypto Audit Project, comprising public reports on TrueCrypt, TorBrowser and several other applications. He is involved in IETF Working Groups for secure protocols, is a volunteer for the Tor Project, and works towards security, anonymity, and privacy on the Internet.

The CII also continues to provide funding for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. CII accepts grant applications ongoing with priority given to underfunded open source projects that support the largest amount of infrastructure. To submit a grant application or for more information, go to: http://www.linuxfoundation.org/programs/core-infrastructure-initiative.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation and Linux Standard Base are trademarks of the Linux Foundation. Linux is a trademark of Linus Torvalds.

Project Creates Methodology for Assessing Open Source Software in Need of Support 

San Francisco, July 9, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced The Census Project, a new program that analyzes popular open source projects to identify which ones are critical to Internet infrastructure and also most in need of additional support and funding.

The Heartbleed vulnerability in the open source software (OSS) program OpenSSL had widespread impact and serious ramifications. It led to the formation of the multi-million dollar Core Infrastructure Initiative backed by The Linux Foundation and industry leaders like Amazon Web Services, Facebook, Google, IBM, Microsoft.

The Census Project expands on the CII’s efforts to collaboratively identify and fund critical open source projects in need of assistance. It automates the collection and analysis of data on different open source projects, ultimately creating a risk score for each project based on the results. Projects with a higher ranking are especially in need of reinforcements and funding; and, as a result, CII will consider such projects priority candidates for funding. A high score means that the project may not be getting the attention that it deserves and that it merits further investigation.

“Measuring software security is an ongoing struggle that’s notoriously difficult given missing or messy data,” said Jim Zemlin, Executive Director at The Linux Foundation. “There’s no perfect set of metrics to guarantee that software is secure or not. The Census Project brings the power of the open source collaboration to help fill this massive gap, which will provide a useful barometer for assessing software from a security point of view.  We look forward to feedback on the effort in order to improve the census itself and subsequently the software that we all depend on for our privacy and security.”

With full source and data available on GitHub, developers and security experts are invited to participate in The Census Project, from experimenting with different metrics, providing corrected data, proposing new projects to include in the evaluation, and suggesting alternative formulas for combining the data. Anyone can issue a pull request with suggested changes from the most successful alternatives.

Who Oversees The Census Project and How is It Funded
The Census Project is coordinated by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA), a nonprofit organization that operates three federally funded research and development centers and exists to promote national security, preserve the public welfare, and advance scientific learning by analyzing, evaluating, and reporting on matters of interest to the United States Government.

Funded by CII and by the U.S. Department of Homeland Security Homeland Open Security Technology (DHS HOST) program for Georgia Tech Research Institute, IDA’s work is summarized in the new report “Open Source Software Projects Needing Security Investments,” which outlines past research and approaches used to calculate risk as well as Wheeler’s newest Census Project findings and methodology.

Supporting software for capturing data, sourced from the Black Duck Open HUB (formerly Ohloh), a free online community and public directory of free and open source software (FOSS), is written in Python by Samir Khakimov of IDA. The code is released under the open source MIT license.

Census Project Results 
The Census Project is examining a subset of Debian software packages, which are widely used, and other packages CII and Wheeler’s team identified as potentially concerning. Using this process, the project pinpointed software CII already funds, including OpenSSL, OpenSSH, NTP, and GnuPG.

“The Census Project aims to become an excellent framework for guiding CII funding to the projects most in need,” said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation. “CII members expect The Census Project to accelerate the process by which projects that are in need receive support and additional funds.”

How the Census Projects Works 
The Census Project automatically gathers important metrics, such as Common Vulnerabilities and Exposures (CVEs) filed and popularity, with a focus on less active projects. IDA and CII experts estimate a program’s exposure to attack using an algorithm to evaluate the data collected, which generates a list of projects that require more scrutiny. The algorithm also considers factors such as recent activity and if a project web site exists, to assign a risk index number ranging from 0-16.  Final results of this cumulative process are available online with the ability to sort software by risk score, CVE count, contributor count and popularity.

The Census Project is a key part of CII’s transition to move beyond point fixes toward more holistic, preemptive solutions for open source security. In addition to this new service, CII continues to fund key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, and face-to-face meeting coordination. The multi-million dollar project is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, Salesforce, and VMware.

Additional Resources
The Census Project
The Census Project on GitHub
Census Project Short Summary
“Open Source Software Projects Needing Security Investments,” by David A. Wheeler, Project Leader (Institute for Defense Analyses) & Samir Khakimov (Institute for Defense Analyses)

About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

Linux Security Expert Emily Ratliff Hired to Oversee CII and Tackle Open Source Security 

San Francisco, June 22, 2015 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects in need of assistance, today announced financial support of nearly $500,000 for three new projects to better support critical security elements of today’s global information infrastructure. Established in 2014 in response to the Heartbleed vulnerability, more than 20 companies founded CII to fortify the security of key open source projects.

CII’s funds will support a new open source automated testing project, the Reproducible Builds initiative from Debian, and IT security researcher Hanno Böck’s Fuzzing Project. Additionally, The Linux Foundation is announcing Emily Ratliff is joining The Linux Foundation as senior director of infrastructure security for CII. Ratliff is a Linux, system and cloud security expert with more than 20 year’s experience. Most recently she worked as a security engineer for AMD and logged nearly 15 years at IBM.

“I’m excited to join the Linux Foundation and work on the Core Infrastructure Initiative because improving the security of critical open source infrastructure is a bigger problem than any one company can tackle on their own,” said Ratliff. “I’m looking forward to working with CII members to more aggressively support underfunded projects and work to change the way the industry protects and fortifies open source software.”

The CII provides funding for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The multi-million dollar project is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware.

New CII Grants and Projects include:

Reproducible Builds – For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by unknown attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.

Compiler output usually differs from one version to another. Even when reproducing the original build environment as closely as possible, specific information about the process such as date and time or ordering of files can introduce hard-to-understand variations in the build results. Enabling easy ways to record and restore a given build environment and making the compilation processes fully deterministic by removing or normalizing variations allows anyone to verify for themselves that the file they received was exactly what the developers intended.

Debian developers Holger Levsen and Jérémy Bobbio are steering a large-scale effort to eliminate unneeded variations from the build processes of thousands of free software projects, as well as provide tools to understand the source of these differences and update the infrastructure to allow developers to independently verify the authenticity of binary distributions.

Ensuring that no flaws are introduced during the build process greatly improves software security and control. This work has already made significant progress in Debian, and they are making their tools available for Fedora, Ubuntu, OpenWrt and other distributions as well. CII’s $200,000 grant will allow Levsen and Bobbio to meaningfully advance their Debian work and collaborate more closely with other distributions.

The Fuzzing Project – The fuzzing software testing technique is a powerful mechanism to identify security problems in software or computer systems. Security researcher Hanno Böck spearheads The Fuzzing Project, coordinating fuzzing efforts for open source software. Many vulnerabilities in well-known software, including several GnuPG and OpenSSL bugs reported lately, were found by Böck’s effort. He will receive $60,000 from CII to continue his work finding and reporting fuzzer-related issues in open source software. He works on improving and documenting the tools and methods to automatically find large quantities of bugs in software.

False-Positive-Free Testing – Pascal Cuoq, chief scientist and co-founder of TrustInSoft, a company that uses the Frama-C platform to guarantee software has no flaws, will receive a grant to build an open source TIS Interpreter, including all the extensions necessary to support the false-positive-free operation on OpenSSL. This work is based on TIS Analyzer, a commercial software analysis tool based on Frama-C, the extensible open-source framework for source code analysis. One issue impairing TIS Analyzer’s widespread adoption is that it occasionally produces false positives: it can report security errors that are actually false alarms.

Cuoq’s new project supports a new flavor of TIS Analyzer named “TIS Interpreter” and a methodology that detects bugs with no false positives. Thus, any bug that is reported actually needs to be fixed. American Fuzzy Lop fuzzer will be used to automatically generate new test cases for OpenSSL from which TIS interpreter can detect bugs.

TIS Interpreter, expected to be released as open source software in early 2016, will use existing test cases to detect bugs with no false positives, which saves developers’ time. CII is investing $192,000 in this work, which combines existing technologies to test this new technique on OpenSSL, so that, if successful, it can be extended to other open source software to help developers better identify potential bugs and improve security.

“While each project we’re announcing funding for today is quite different, each is critical to our global computing infrastructure and cybersecurity. These new grants, combined with the stellar addition of Emily, mean CII is well-positioned to address critical infrastructure vulnerabilities in the months and years ahead,” said Jim Zemlin, Executive Director of The Linux Foundation. “Emily’s extensive Linux security experience and standards involvement will be a major asset to CII’s work as we move beyond point-fixes toward more holistic solutions for open source security.”

More About Emily Ratliff

As senior director of infrastructure security, Ratliff will set the direction for all CII endeavors, including managing membership growth, grant proposals and funding, and newly created CII tools and services. She brings a wealth of Linux, systems and cloud security experience to her new role. One of the first two people to work on base systems security at IBM’s Linux Technology Center, Ratliff contributed to the first Common Criteria evaluation of Linux, gaining an in-depth understanding of the risk involved when adding an open source package to a system. She has gained expertise working with open standards groups, including the Trusted Computing Group and GlobalPlatform, and has been a Certified Information Systems Security Professional since 2004.

CII accepts grant applications ongoing with priority given to underfunded open source projects that support the largest amount of infrastructure. A steering committee, which meets quarterly to review proposals, recently renewed annual grants for GnuPG, NTPd, OpenSSL, and OpenSSH to continue supporting developers and code audits. To submit a grant application or for more information, go to: http://www.linuxfoundation.org/programs/core-infrastructure-initiative.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds

CII aims to extend funding to other, critical and underfunded projects

DUSSELDORF, Germany, LinuxCon and CloudOpen, October 13, 2014 – The Core Infrastructure Initiative (CII), a project hosted by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund critical open source projects that are in need of assistance, today issued a call for new grant proposals for open source projects seeking industry support.

While there are not formal requirements for proposals, grant requests should describe the history of the project, how it represents core Internet infrastructure and how the project would benefit from funding for developers, code audits or other measures. Grant proposals can be submitted on an ongoing basis. Decisions are made by CII’s twenty-member steering group, which is informed by an esteemed Advisory Board of community and industry experts.

CII earlier this year made initial grants to OpenSSL, NTP and OpenSSH. These grants have been used for code audits, hiring more developers and providing infrastructure.

“Our initial grants to OpenSSL, NTP and OpenSSH are already helping those core projects we all rely on,” said Linux Foundation Executive Director Jim Zemlin. “CII is now ready to expand the positive impact we hope to have on more open source projects that are critical to the Internet’s infrastructure.”

Grants proposals may be made online at https://www.linuxfoundation.org/programs/core-infrastructure-initiative

The members of the CII are Adobe, Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Hitachi, Huawei, IBM, Intel, Microsoft, NEC, NetApp, Qualcomm, Rackspace, salesforce.com and VMware.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds

# # #

The Linux Foundation’s CII adds Hitachi and NEC to roster of companies working to identify and fund open source projects in need of assistance

Chicago, Ill. LINUXCON & CLOUDOPEN, August 20, 2014 – The Core Infrastructure Initiative (CII), a project hosted by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund open source projects that are in need of assistance, today announced new backers. Hitachi and NEC will work with existing CII members to collaboratively identify and support the critical infrastructure projects most in need of support.

These newest backers join other members of CII who include Adobe, Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Huawei, IBM, Intel, Microsoft, NetApp, Rackspace, salesforce.com and VMware. Comments from the newest members are included below.

“Hitachi and NEC are prioritizing support for some of the world’s most important open source projects and will help the industry move from crisis-driven responses to a measured, proactive approach to funding projects that are most in need,” said Jim Zemlin, executive director at The Linux Foundation. “Open source projects are the foundation for most of today’s global infrastructure and need be supported by the companies and users who rely on them.”

CII provides funding for fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The Steering Committee, comprised of members of the Initiative, and the Advisory Board of industry stakeholders and esteemed developers, are tasked with identifying underfunded open source projects that support critical infrastructure and administering the funds through The Linux Foundation.

Projects currently receiving funding include Network Time Protocol, Open Crypto Audit Project (OCAP), OpenSSH and OpenSSL. Other projects are under consideration and will be funded as assessments are completed and budget allows.

The Advisory Board includes Linux kernel developer Alan Cox; security and cryptography researcher Matthew Green; Radio Free Asia’s Open Technology Fund Director Dan Meredith; professor of law and legal history at Columbia University and founder of Software Freedom Law Center Eben Moglen; Fellow at the Berckman Center for Internet & Society at Harvard Law School Bruce Schneier; Program Officer for Human Rights for MacArthur Foundation; Eric Spears; and Linux kernel developer Ted Ts’o.

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. CII changes funding requests from the reactive post-crisis asks of today to proactive reviews identifying the needs of the most important projects. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give these projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

Hitachi

“The Core Infrastructure Initiative is going to address the needs in today’s software industry – a neutral, collaborative project that allows companies to support the work of today’s most critical open source projects,” said Susumu Okuhara, General Manager of Service Development Operation, IT Platform R&D Management Division, Hitachi. “We’re proud to be a part of this group and look forward to the impact it can have on the long-term health of our global infrastructure.”

NEC

“NEC has long valued Linux and open source software and supported their development,” said Naoki Hashitani, vice president, NEC. “CII gives us the opportunity to extend the support to open source projects and developers who might not be funded or supported if there were not initiatives like CII.”

Anyone can donate to the Core Infrastructure Initiative fund. To join or donate or find out more information about the Core Infrastructure please visithttps://www.linuxfoundation.org/programs/core-infrastructure-initiative

Additional Resources

News Release: Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation Form New Initiative to Support Critical Open Source Projects

News Release: The Linux Foundation’s Core Infrastructure Initiative Announces New Backers, First Projects to Receive Support and Advisory Board Members

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds

# # #