Gunnar Assmy - Fotolia
The clear takeaway from the community-funded project to perform a transparent security audit of the TrueCrypt encryption utility is … well? Honestly, it's not entirely clear what happened: The first of two phases of the audit found no major issues. Then, the anonymous creators of TrueCrypt, out of the blue, declared the utility insecure and their open source project dead.
Whether TrueCrypt is fit to use or not -- I have no idea, but I'm now suspicious of it -- its audit and demise raise key questions about security in open source software. Johns Hopkins' Matthew Green, and others, thought we needed an ongoing group to perform security audits of important open source products. This gave rise to the Open Crypto Audit Project (OCAP), which addresses at least the tip of the security iceberg by focusing on auditing open source crypto libraries and tools. But it leaves the rest of open source (which is practically all of it) without a security auditing team of record; we can probably let that rest until we can, at least, trust the crypto.
The community-driven OCAP definitely brought in some of the Internet's heavy hitters. The folks behind OCAP saw right away that they'd have to involve people who are widely recognized and trusted within both the open source and global security communities. The Technical Advisory Board includes industry veteran Bruce Schneier, Matasano Security's Thomas Ptacek, computer security researcher Moxie Marlinspike, and others with significant crypto cred. The Board of Directors includes, among others, Marcia Hoffman, the lawyer I'd call if the Department of Justice came after me.
This community-driven initiative is exactly the sort of thing that ought to be happening, and I'd encourage you to drop by opencryptoaudit.org and offer to help them out. Just for starters, you might help them get the "Contribute" page working. Judging from their "Press" link, they could use some help in the PR department as well. I'm not saying this out of snark, but just that it needs doing and it's worth it.
Getting back to that iceberg, though: What about the security of all the open source stuff out there that isn't a crypto library? Some of it gets sort of beaten into shape (the Firefox browser, say) because it gets so roundly and unceasingly attacked. But what about all those random libraries out there? Some commercial services will, at least, help you catalogue what you're using and identify known vulnerabilities. But who's going to audit the actual code?
If we're honest, the answer is almost certainly that no one is going to do it. And it's not really even the right way to tackle the problem. If we want secure code (whether commercial or open source), the best approach is to develop it securely from the outset. Doing this, we've seen, requires a kind of commitment to security that most companies doing software development seldom muster.
But open source tends to be something of an agglomeration of programmers -- some brilliant, some boneheaded -- around a core developer or two. I think it just might be possible to influence the small group of programmers at the core of each open source project to create a culture that develops secure code. In fact, in some ways it might even be easier to do with open source projects because they, for the most part, don't face the arbitrary deadlines of the commercial world.
So maybe there's room for a cousin to OCAP, some sort of Secure Open Source Institute. I don't mean something like OWASP (Open Web Application Security Project), which of course does focus on secure development, but rather an organization that helps the leaders of projects communicate the security requirements for their work and which perhaps provides limited architectural audit resources -- enough to get the initial framework of the design in good, secure order. Not an easy undertaking, but until then aren't we, more or less, just guessing about the security of open source code?
About the author:
Robert Richardson is the editorial director of TechTarget's Security Media Group. Follow him on Twitter @cryptorobert.