Does Open Source Need a Red Team?

garyebickford writes "IMHO the Open Source community (whatever that is) needs a Red Team project. This would be an open source project, but its output would be a process rather than a piece of software. If such a group exists, I'm not aware of it. This document and this page [from the Google cache] are from a commercial company (picked at random from a Google search) that provides similar services. The OS Red Team would provide 3rd party security testing, code review and evaluation for open source projects prior to release, providing a 'report card' stating what has been reviewed and tested, and recommending fixes. When a package is released, the Team's 'weather report' stating the probabilities that a package would survive different kinds of attack would be a valuable piece of information for prospective users." Do you think the Open Source Community would benefit from such an effort?

"The Team could also provide a set of recommended processes and tools for O.S. projects to follow prior to submission to the Red Team test queue. This by itself would be a valuable tool.

Such teams are sometimes used by companies to test the security of their networks and software. The O.S. community have done an excellent job so far, but as open source is used more and more by the mainstream computer users, vetting by a 3rd party would help make many organizations more likely to accept a piece of O.S. software.

The Team would, like any open source project, be comprised of both experts and newbies. The newbies would have the opportunity of doing real testing under the guidance of folks who know more, thereby becoming more expert themselves. The experts would provide a centralized open-source-oriented set of recommendations and specialized review as needed.

Either the Red Team or its members could also provide paid services for commercial software, and could participate with university CS departments in training students, providing the opportunity for valuable cross-training between schools. It might even be possible to arrange course credit for work on the Team.

Many Open Source projects could benefit from such a 3rd party group to recommend development procedures, code styles, and actual testing to teach and motivate better security practices in code design. The plain fact is that many (most?) of us developers are not completely 'up' on the issue of security - it's a very dynamic area of specialization. This initiative could be another resource that will be useful in establishing OS in the mainstream."

Funding? Needed at All?

[hbo]

OK, so you are going to hire highly experienced and expensive talent to do security audits for open source projects that don't have a revenue model? Where's your revenue model?

And of course, the benefit of open source is that all sorts of motivated, talented people from all over the world pitch in to do a similar analysis for free, and without a formal "red team." This breaks down quite a bit with the volume of Free Software being produced nowadays, however. But the important pieces of infrastructure (Apache, e.g.) DO get the scrutiny their importance demands. Not to mention pounding by black hats.

Someone mentioned OpenBSD. But even they don't audit everything. They confine their attention to the core of the OS. That's quite a lot of software, but the ports tree is quite a bit more. The ports get somewhat more attention than they would simply because you've got a large set of security conscious users.

Re:Funding? Needed at All?

[garyebickford]

A couple of points on funding were made either in the original or by others - I noted that either the project as a whole or members individually might sell the service for commercial software or business clients who want the security. I also noted (this is a bit more difficult) that some universities might offer credit for participation - many open source projects are now essentially university projects, such as PHPWebSite.
The paper by _iris (92554) suggested previously that this function might be part of an insurance package. Business insurers often require IT emergency plans, risk analysis and 3rd party network security audits, and might reasonably require a company moving to open source software (read, "unknown vendor") to have the software reviewed. This is exactly where the idea of a group specializing in OS software would fit and quite possibly make money.

As for "all sorts of motivated, talented people", I think you're making my point. The "Red Team" project could provide a focus for those folks to achieve some synergy - I'm not involved in that area much but I suspect that a lot of those folks are feeling 'behind the curve' lately. It's amazing how well the community has done. A project that focusses that effort could greatly improve the availability of the 'right' information and fast access to folks who have the experience.

I do disagree with your thought that the "important pieces" get scrutinized, if you mean to say that's sufficient. The problem is that, using Apache for example, Apache itself can be bulletproof but many scripting projects using modperl, PHP, JSP, etc. are not. The result is a server that is nearly as vulnerable as if Apache itself had a vulnerability.

Apache scripting is what triggered my thought on this topic. A large number of scripting vulnerabilities have been reported lately. I can't guarantee that the scripts I've written have been bulletproof. I'd like to have a resource that, perhaps with some configuration by me, could run through a set of tests of my scripts. This couldn't guarantee anything but it could help developers.

Maybe you should try asking the OSDL

[Alpha27]

http://www.osdl.org/

I recall they are an organization sponsored by big names in the IT industry, that could possibly emplore such an idea. Their idea is to proviude enterprise class testing to help advance the linux community. I don't see why this couldn't be an extension of it.

I'm sure a nicely worded, thought out paper explaining the benefits would at least get a response, and possibly spike some interest.