Blog

The Census  Project, developed by David Wheeler and Samir Khakimov of the Institute for Defense Analyses (IDA), goes live today! CII co-funded the Census Project to automate analysis on a large number of open source projects to come up with a quick way to prioritize which projects to look at more closely. The Census Project calculates a “risk score” based on a number of metrics about the project, some of which are relatively static (language, website, network access) and some of which change over time (contributor count and popularity).

The results are fascinating.The Census Project is very, very good at identifying projects which are still widely popular, but which are hardly maintained. This is the sweet spot for the Core Infrastructure Initiative to look into to try to identify lurking issues and help find a way to fix them before they become problems for our core infrastructure.

The development team did an amazingly comprehensive overview of prior art before settling on the metrics in the program (check it out yourself in Section 2 of the whitepaper), but it is fun to speculate and even experiment with alternative metrics. For example, Florian Weimer suggested including the Fedora ABRT crash statistics, which I think is an inspired idea because, in aggregate, the crash reports are less game-able than CVE counts, include a nod to popularity, and show whether or not potentially critical issues are actually being fixed by projects.

We hope that this is the beginning of the discussion about which (automatable) metrics are important to assessing a project’s risk. I would like to invite you to provide feedback on the project, propose new projects to assess, help clean up the input data, and experiment with different metrics.

A big thank you goes out to Black Duck’s Open Hub and the Debian project for allowing the Census Project to use data from their sites to perform the calculations.

For more information, you can visit the website, download the code, and read the paper (in short form if you are in a hurry).

I am very excited to be joining The Linux Foundation as the senior director of infrastructure security to work on The Core Infrastructure Initiative. The challenge of securing software is not new, nor is it isolated to open source. What is unique right now though is how everyone has increasingly come to rely upon shared code to foster innovation and speed time to market. Research shows 90 percent or more of modern applications, both commercial and non-commercial, contain third-party open source code. As adoption grows, we have to ensure that critical open source software is supported, protected, and fortified.

Fortunately, without a moment’s hesitation last year, many rallied around the Linux Foundation to create the Core Infrastructure Initiative, a multi-million dollar project comprised of technology companies, security experts and developers, all of whom are committed to working collaboratively to identify and fund critical open source projects in need of assistance.

This is an incredibly important time for CII. The stakes have never been higher for open source software. Working together, I believe CII has the potential to make a major impact on the security of technology that we all use every day. And CII has made a difference already. Since CII started, we’ve seen improvement in the bug closure rate on funded projects.

Open source software encompasses a whole range of projects, some of which have strong vibrant communities around them and some which scratched a single developer’s itch. Our mission is to identify which of the most critical projects are the weakest and would benefit from help to become stronger. Beyond the initial triage, we’ll be focusing on industry best practices for secure open source development to further foster a culture of secure coding practices.

CII recently announced nearly $500,000 in new grants to support three very different, but important projects: 1) a new testing project leveraging Frama-C, 2) the Reproducible Builds initiative from Debian, and 3) the Fuzzing Project. Tools can be very expensive to create and use but can be a very effective force multiplier. I hope that CII’s investments in tooling will pay off in improved security for many projects. With these investments, CII is moving beyond ad-hoc, reactionary bug fixes to advance tooling projects that a wide number of projects can leverage to proactively improve security.

I am grateful to the Linux Foundation and the CII Steering Committee for entrusting me with this mission. When I first heard of the creation of the Core Infrastructure Initiative back in April 2014, I took the long overdue step of joining the Linux Foundation as an individual member, never dreaming that I would get this opportunity to actively foster the initiative. I have been advocating for, using, and contributing to open source software for a long time. I believe that open source software is more secure than people give it credit for (especially during the dark days of Shellshock and Heartbleed) and simultaneously not secure enough – more must be done. Open source software is not unique in this regard. It is a pet peeve of mine when people make bold proclamations about the security of open source without acknowledging that there exists a wide range of requirements, capabilities and practices in open source projects, just as in closed source. What is important is that we all come together to make sure that our most critical open source software is being cared for at a level that will ensure that it is responsive to vulnerability disclosure, proactively identifying and refactoring problematic code, performing positive and negative testing appropriately, and using the best tools available.

Improving cyber security will never be light work; our members know that many hands are needed to dramatically reduce global threats to online security.  I’m honored to be working with the industry’s largest tech giants — Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware — on this critical endeavor.

CII is committed to fostering open source innovation and secure development practices. We have an amazing program in the making and we can make a difference. We need your help to make this work. Whether your interest is in best open source development practices, surveying open source communities, developing new tools, suggesting a grant or just general discussion about CII – we want to hear from you.

Thanks!

Emily Ratliff

Earlier this month, we announced the Core Infrastructure Initiative (CII) Best Practices Badges Program, a free program that seeks to determine security, quality and stability of open source software.

We received many inquiries from interested companies and developers for additional information about the CII badge program after its launch. Addressing the program’s most pressing questions on Linux.com are Emily Ratliff, senior director of infrastructure security at The Linux Foundation and Dr. David Wheeler, open source and security research expert.

Determining software security is an industry-wide challenge for both proprietary and open source. The CII Best Practices Badge Program addresses this challenge by helping projects determine if they meet open source best practices quickly (generally, in less than an hour) and through a trusted source. Projects displaying a CII badge showcase the project’s commitment to security.

Read the Q&A here.