Open Source Hardening Project

Participants in the project were given grants from Homeland Security: Stanford University ($841,276), Coverity ($297,000) and Symantec ($100,000). Stanford and Coverity collaboratively developed Prevent, an automated system for scanning submissions from open source programmers to popular projects. Vulnerabilities found are documented in a database for the development community. Coverity employs a rating system called the "Scan Ladder" to rank projects on a progressive track to security certification. Symantec's role is to test out Scan in the proprietary software that they work with and to provide security expertise.

Homeland Security lists the Department's priorities in their National Cyberspace Strategy document:

• Identifying and remediating existing vulnerabilities.
• Developing systems with fewer vulnerabilities and assessing emerging technologies for vulnerabilities.

• Securing the mechanisms of the Internet.
• Improving the security and resilience of key Internet protocols.
• Reducing and remediating software vulnerabilities.
• Assessing and securing emerging systems.

In the project's first year, 50 projects scanned yielded over 6000 vulnerabilities, which were fixed by open source developers using Prevent's results. In the second year there were 150 projects scanned. By March 2008, 7,826 defects had been fixed in 267 projects. Higher ranked projects that fix the most vulnerabilities get deeper access to Prevent's features.

The project, formally known as the Vulnerability Discovery and Remediation, Open Source Hardening Project, launched in March 2006 and is scheduled to run for three years, with a budget of 1.24 million dollars. Some of the better-known projects scanned include Apache, Firefox, GIMP and a number of forms of Linux and BSD.

Read more about Open Source Hardening Project: - News.com reports on the initiation of the Open Source Hardening Project. - SearchSecurity.com describes how the Open Source Hardening Project is discovering flaws. - This PDF document evaluates Prevent. - Coverity offers a FAQ list about Scan.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities In this new addition to our Nessus 3 Tutorial, Mike Chapple provides examples of NASL scripts that can find known vulnerabilities in your customized... What are best practices for creating an IDS and maintaining a signature database? Mike Chapple offers an alternative to creating an intrusion detection system as well as advice on maintaining a signature database. How to install and configure Nessus This tip introduces Nessus, and explains how to install Nessus and configure deployment.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Back Orifice  (SearchSecurity.com) Blowfish  (SearchSecurity.com)