Open Source Hardening Project

Participants in the project were given grants from Homeland Security: Stanford University ($841,276), Coverity ($297,000) and Symantec ($100,000). Stanford and Coverity collaboratively developed Prevent, an automated system for scanning submissions from open source programmers to popular projects. Vulnerabilities found are documented in a database for the development community. Coverity employs a rating system called the "Scan Ladder" to rank projects on a progressive track to security certification. Symantec's role is to test out Scan in the proprietary software that they work with and to provide security expertise.

Homeland Security lists the Department's priorities in their National Cyberspace Strategy document:

• Identifying and remediating existing vulnerabilities.
• Developing systems with fewer vulnerabilities and assessing emerging technologies for vulnerabilities.

• Securing the mechanisms of the Internet.
• Improving the security and resilience of key Internet protocols.
• Reducing and remediating software vulnerabilities.
• Assessing and securing emerging systems.

In the project's first year, 50 projects scanned yielded over 6000 vulnerabilities, which were fixed by open source developers using Prevent's results. In the second year there were 150 projects scanned. By March 2008, 7,826 defects had been fixed in 267 projects. Higher ranked projects that fix the most vulnerabilities get deeper access to Prevent's features.

The project, formally known as the Vulnerability Discovery and Remediation, Open Source Hardening Project, launched in March 2006 and is scheduled to run for three years, with a budget of 1.24 million dollars. Some of the better-known projects scanned include Apache, Firefox, GIMP and a number of forms of Linux and BSD.

Read more about Open Source Hardening Project: - News.com reports on the initiation of the Open Source Hardening Project. - SearchSecurity.com describes how the Open Source Hardening Project is discovering flaws. - This PDF document evaluates Prevent. - Coverity offers a FAQ list about Scan.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

BROWSE BY TAG Open Source Security Tools and Applications,   Application and Platform Security,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Screencast: Samurai offers pen-testing nirvana Peter Giannoulis demonstrates the Samurai Web Testing Framework, a free, live Linux distro pre-configured to function as a stand-alone Web pen-testing... Rootkit Hunter demo: Detect and remove Linux rootkits Peter Giannoulis demonstrates how to install and use Rootkit Hunter, a free rootkit scanner for Linux and BSD distributions. When to use open source security tools over commercial products When budgets are cut and open networks still need securing, it may help to try open source security tools as a sufficient and affordable alternative...

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com)