Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU To Give Free Security Audits To Apache HTTP Server and Keepass (softpedia.com)

Posted by EditorDavid on from the open-source-audits dept.

An anonymous reader writes: The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects. The two projects were selected following a public survey that included several open-source projects deemed important for both the EU agencies and the wide public.

The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament. This is only a test pilot program that's funded until the end of the year, but the EU said it would be looking for funding to continue it past its expiration date in December 2016.

14 of 67 comments (clear)

  1. Nothing is free by Anonymous Coward · · Score: 3, Insightful

    EU to give taxpayer funded security audits.

    1. Re:Nothing is free by Anonymous Coward · · Score: 5, Funny

      I get free hourly security audits of my servers from the Chinese and Russian governments.

    2. Re:Nothing is free by Anonymous Coward · · Score: 4, Insightful

      The EU has to rely on Keepass and Apache for their IT infrastructure. They should be doing these audits anyway. The only news is that the EU taxpayers get back the results to the people paying for them whilst other governments give them for free them on to their corporate buddies to sell back to the taxpayers with margin.

    3. Re:Nothing is free by drnb · · Score: 3, Insightful

      The EU has to rely on Keepass and Apache for their IT infrastructure. They should be doing these audits anyway. The only news is that the EU taxpayers get back the results to the people paying for them whilst other governments give them for free them on to their corporate buddies to sell back to the taxpayers with margin.

      And if the EU simply funded EU University security researchers to do the audit that would not benefit EU citizens? Benefit EU citizens in more ways than simply having the audit performed? This is merely about growing staff and fiefdom, typical bureaucracy.

    4. Re:Nothing is free by golodh · · Score: 2
      @Anonymous Coward

      EU to give taxpayer funded security audits.

      So?

      Sounds like money well spent to me.

  2. IT of Commission and Parliament, not University? by drnb · · Score: 2

    The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament

    Damn, they are quite desperate to *seem* to be doing something useful. But yet again the bureaucrats think themselves the solution, to want to grow their departments and "fiefdoms", NOT! If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.

  3. Re:KeepAss? by aliquis · · Score: 2

    A open-source password manager (and generator I believe?)
    http://keepass.info/

    For lots of OSes: http://keepass.info/download.h...
    With lots of plugins: http://keepass.info/plugins.ht...

  4. Re:IT of Commission and Parliament, not University by drnb · · Score: 3, Insightful

    Public IT is definitely who should not be responsible for this kind of testing

    Absolutely, private IT should do it, in particular Hillary's private IT. After all there is no evidence they were ever hacked. :-)

  5. Quit the bashing by lbalbalba · · Score: 5, Interesting

    Hey, I'm an European, and I welcome this. Apache is widely used, and it's security is for the common good. At the very least, this is a step in the right direction. The only downside I can think of, is that Apache is already heavily scrutinized by both static analyzers and 'real human being' audits, so it this particular choice may be of limited use. Still, a mayor step forward in my opinion.

    1. Re:Quit the bashing by Anonymous Coward · · Score: 2, Insightful

      I'm an American, and I too think this is fantastic. OpenSSL has shown us that lax security in open source projects can have widespread disastrous consequences. I also use and love KeePass. Bring on the audits!

  6. Re:IT of Commission and Parliament, not University by gweihir · · Score: 2

    I agree. While they might find something, they will not have the skills to come up with a good final verdict and recommendations. Really good IT Security people (needed for this) will not work for a government bureaucracy in the first place, far too boring.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Re:IT of Commission and Parliament, not University by Anonymous Coward · · Score: 2, Insightful

    Absolutely, private IT should do it, in particular Hillary's private IT. After all there is no evidence they were ever hacked.

    I hacked her server. I know, it's hard to believe, right?
    But here's the proof:

    I found an email that said, "I let Benghazi happen because I hated them. Let them die."
    Then another one, "Top security? I personally mail these things to Putin, I'm such an evil person."
    Then another one, "I love Bill."
    Then, "Hey Don, let's get this plan started. I can't lose with you running!" Not sure who Don is, probably Knuth. I heard he was a track star or something.

    There it is. I hacked Hillary's server and gave you the proof. If you don't believe me, it's because you're one of the sheep.

  8. Re:IT of Commission and Parliament, not University by akozakie · · Score: 2

    Not necessarily, it depends on their goals.

    Looks like they want to keep a strong IT capable of doing effective security audits for them on demand, but the workload is not constant. Projects like this are a great idea. You do something "pro bono", actually useful for you and your society. At the same time you keep the team funded, ready for when you need them more. And, most importantly - you keep them busy doing their actual job, the best form of training there is.

  9. Re:IT of Commission and Parliament, not University by akozakie · · Score: 2

    And University researchers are unavailable, unwilling to answer the occasional call?

    As someone who has worked for many, many years at a european university (part-time) I'm strongly sceptical about the ability of university staff to do this exact kind of work well. Not to mention the grad students, who will likely be assigned the actual work. Also, it hardly seems like something universities should really do.

    By the way, do you have any idea how long this "occasional" call would take? This is EU, with all the regulations. Weeks to prepare the call. At least a month for the call, preferably at least two. A few months for the review and grant agreement preparation. Typically 8-12 months total. Alternative? Public tender. Also months, but not so many. But how do you make sure you can trust the company? It's the era of globalization, if you want to know whether software from eg. a US/russian company is secure (as in some real chance of detecting NSA/FSB modifications), last thing you want is a european branch of another company with ties there. Difficult to ensure with a public tender.

    Solution? Have your own small but good team that can do this in less time than a tender or call would take.

    Supporting your EU universities and sponsoring research for professors and students does not benefit society?

    Yes it does. So, fund it! Pushing routine work like this on us limits our ability to do new things which is the essence of "research". And we will take any work that is called "research" and offers money, that's how universities get money afterall.

    I've done my share of work which should never have been given to a university. Routine software development, code review, testing, etc. Practically zero publishable results. Plus, universities do not give the same quality and warranty as a software company in this case. Still, this is a growing trend - throwing such tasks into "research programmes". Expected TRL is growing. Instead of building fascinating prototypes and leaving the conversion to product to spin-offs, universities waste time and talent doing routine work themselves (in consortia, to make things worse). But it's too tempting - instead of allocating budget for something, you just call it a research project and fund it from the science budget. Bingo!

    So the internal team is bloated and short on work, but the department/fiefdom must be preserved?

    So firefighters should only be recruited when there actually is an emergency? Some jobs have variable workloads, deal with it. And I would be careful with the word "bloat" not knowing how large the team is. For example, having two or three analysts in an organization of this size is hardly bloat.

    What makes you think any of this is related to the IT staff's day-to-day work, is within the staff's field of expertise, etc? The person who connects the EUMP's printer to the wifi network may not be the best capable person to analyze malware. All IT jobs/tasks are not equivalent.

    What makes you think this would be the same group that runs around installing printers? All IT jobs/tasks are not equivalent. This sort of pro-bono work is exactly a good way of keeping your team of 2-3 security audit guys away from such work and doing exactly what they were hired for. Yes, that team can formally be a part of your "IT services". No, it does not mean they have to be simple support guys with a new task, very much exceeding their competence level.