US Homeland Security to Support Open Source

An anonymous reader writes "CNET is reporting that the US Department of Homeland Security is extending its support to open source software. The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software. From the article: 'The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.' It's nice that our tax dollars are being used for the right stuff."

Symantec?

Symantec? Open source?? Where?!

Good Start

[Artie+Dent]

"The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do? And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.

Source code analysis tools

[grimJester]

The real story seems to be that the money is granted to develop and test source code analysis tools, with Stanford doing development and Symantec testing. Seems like a potentially good way to catch human errors in coding. Instant feedback for the sloppy coder would be nice.

And why again is Symantec trustworthy ?

[CaptainZapp]

Being one of the companies not detecting the infamous Sony rootkit I'd be really interested to know why Symantec should be trusted for anything security related.

As far it concerns me I deeply distrust all "security companies" since this little incident.

Want to Improve OSS Security?

[Greyfox]

Start up the old auditing program again. Source code auditing is boring work, but another set of eyes going over the code with security in mind really does help a lot. Just go down every function in the C library and work your way out to common daemons and system utilities that usually run setuid. Maybe spend some quality time with common tools that access the internet like firefox, email clients, etc. Just read each function looking for buffer overflows and other ways it might be compromised, document what you find, write a test to try to crash it, submit patches to the original authors and publish your findings and tests on the web somewhere. That leaves you with a full set of security regression tests for every product you look at.

A team of 4-5 people could probably finish off the C standard library in a matter of months and make good progress on the more common daemons that are often run on Linux systems (Bind, apache, the various mail servers, etc) in the span of a year. The money DHS is spending on this would be more than enough to hire a team that size for a year to work on that.