The Open Source Hardening Project is an initiative of the United States Department of Homeland Security, created to improve the security of open source code. Because the infrastructure of the Internet, financial institutions and many other critical systems in the U.S. run on open source software, the security of these applications is crucial.
Participants in the project were given grants from Homeland Security: Stanford University ($841,276), Coverity ($297,000) and Symantec ($100,000). Stanford and Coverity collaboratively developed Prevent, an automated system for scanning submissions from open source programmers to popular projects. Vulnerabilities found are documented in a database for the development community. Coverity employs a rating system called the "Scan Ladder" to rank projects on a progressive track to security certification. Symantec's role is to test out Scan in the proprietary software that they work with and to provide security expertise.
Homeland Security lists the Department's priorities in their National Cyberspace Strategy document:
- Identifying and remediating existing vulnerabilities.
- Developing systems with fewer vulnerabilities and assessing emerging technologies for vulnerabilities.
They list sub-priorities as:
- Securing the mechanisms of the Internet.
- Improving the security and resilience of key Internet protocols.
- Reducing and remediating software vulnerabilities.
- Assessing and securing emerging systems.
In the project's first year, 50 projects scanned yielded over 6000 vulnerabilities, which were fixed by open source developers using Prevent's results. In the second year there were 150 projects scanned. By March 2008, 7,826 defects had been fixed in 267 projects. Higher ranked projects that fix the most vulnerabilities get deeper access to Prevent's features.
The project, formally known as the Vulnerability Discovery and Remediation, Open Source Hardening Project, launched in March 2006 and is scheduled to run for three years, with a budget of 1.24 million dollars. Some of the better-known projects scanned include Apache, Firefox, GIMP and a number of forms of Linux and BSD.