Definition

Open Source Hardening Project

The Open Source Hardening Project is an initiative of the United States Department of Homeland Security, created to improve the security of open source code. Because the infrastructure of the Internet, financial institutions and many other critical systems in the U.S. run on open source software, the security of these applications is crucial.

Participants in the project were given grants from Homeland Security: Stanford University ($841,276), Coverity ($297,000) and Symantec ($100,000). Stanford and Coverity collaboratively developed Prevent, an automated system for scanning submissions from open source programmers to popular projects. Vulnerabilities found are documented in a database for the development community. Coverity employs a rating system called the "Scan Ladder" to rank projects on a progressive track to security certification. Symantec's role is to test out Scan in the proprietary software that they work with and to provide security expertise.

Homeland Security lists the Department's priorities in their National Cyberspace Strategy document:

  • Identifying and remediating existing vulnerabilities.
  • Developing systems with fewer vulnerabilities and assessing emerging technologies for vulnerabilities.

They list sub-priorities as:

  • Securing the mechanisms of the Internet.
  • Improving the security and resilience of key Internet protocols.
  • Reducing and remediating software vulnerabilities.
  • Assessing and securing emerging systems.

In the project's first year, 50 projects scanned yielded over 6000 vulnerabilities, which were fixed by open source developers using Prevent's results. In the second year there were 150 projects scanned. By March 2008, 7,826 defects had been fixed in 267 projects. Higher ranked projects that fix the most vulnerabilities get deeper access to Prevent's features.

The project, formally known as the Vulnerability Discovery and Remediation, Open Source Hardening Project, launched in March 2006 and is scheduled to run for three years, with a budget of 1.24 million dollars. Some of the better-known projects scanned include Apache, Firefox, GIMP and a number of forms of Linux and BSD.

This was last updated in April 2008
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchSecurity.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: