Ronald Hudson - Fotolia

Mozilla Secure Open Source Fund to aid developers with audits

Mozilla created the Secure Open Source Fund to help developers perform security audits on software in an effort to reduce the potential of another Heartbleed or Shellshock.

To improve security for open source software, Mozilla has created a fund to help developers perform security audits on programs with an initial allocation of $500,000.

The new Secure Open Source Fund is part of the Mozilla Open Source Support program that was formed in October 2015. Chris Riley, head of public policy for Mozilla, said in a blog post the Mozilla Secure Open Source Fund "will provide security auditing, remediation and verification for key open source software projects ... of some widely used open source libraries and programs."

"But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support. We challenge these beneficiaries of open source to pay it forward and help secure the internet," Riley wrote. "Security is a process. To have substantial and lasting benefit, we need to invest in education, best practices and a host of other areas. Yet, we hope that this fund will provide needed short-term benefits and industry momentum to help strengthen open source projects."

The plan includes Mozilla contracting and paying professional security firms to audit other projects' code, working with the project maintainer to support and implement fixes, as well as to manage disclosure, and paying for the remediation work to be verified to ensure any identified bugs have been fixed.

Riley wrote that Mozilla wants to avoid the next Heartbleed or Shellshock vulnerability and has already tested the process with three pieces of open source software in which 43 flaws were found and patched.

Experts were bullish on the possibilities of the Secure Open Source Fund.

James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies in Washington, D.C., said an initiative like this is valuable because "so much of the code we rely on uses open source software."

"It's embedded in commercial products and provides for key internet operations. This software is often neglected when it comes to patching and updating," Lewis wrote. "All software has exploitable flaws -- it's the nature of coding. Left unattended, these bugs create opportunities for crime and disruption. Mozilla's [Secure Open Source] fund fills a critical gap in cybersecurity by creating incentives to find the bugs in open source and letting people fix them."

Adam Meyer, chief security strategist at SurfWatch Labs Inc., based in Sterling, Va., said "the new Secure Open Source Fund will increase the level of trust in software supply chains and reduce risk," assuming it is executed wisely.

"Almost all organizations, whether they know it or not, are dependent on many open source libraries," Meyer told SearchSecurity. "A large amount of vendors integrate open source applications within their product lines, and this opens up a risk of critical devices being reliant on loosely supported, open source applications. Heartbleed showed us this."

Next Steps

Learn more about managing open source security from a legal perspective.

Find out how secure open source collaboration software can be.

Get info on whether security risks are higher with open source .NET.

Dig Deeper on IT security audits and audit frameworks