New Fund for Open Source Security Audits

Tuesday, June 14, 2016 @ 02:06 PM gHale


Secure Open Source (SOS), a new Mozilla fund, looks to offer security audits of open-source code.

The moves comes after learning of critical security bugs like Heartbleed and Shellshock in key pieces of software.

Mozilla set up a $500,000 initial fund used for paying professional security firms to audit project code. The foundation will also work with the people maintaining the project to support and implement fixes and manage disclosures, while also paying for the verification of the remediation to ensure bugs end up taken care of.

RELATED STORIES
Fears over Supply Chain Security
Understanding Security Gap for Execs
Modernization Offers Security Challenges
Insider Threats in All Companies: Report

The initial fund will cover audits of some widely-used open source libraries and programs.

Mozilla recognizes the growing use of open-source software for critical applications and services by businesses, government and educational institutions.

“From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet – including the network infrastructure that supports it – runs using open source technologies,” said Chris Riley, Mozilla’s head of public policy in a blog post.

Mozilla wants companies and governments that use open source to join and provide additional funding for the project.

In a trial of the SOS program on three pieces of open-source software, Mozilla said it found and fixed 43 bugs, including a critical vulnerability and two issues in connection with a widely-used image file format.

The Linux Foundation has a Core Infrastructure Initiative (CII) that also aims to secure key open-source projects, in collaboration with technology companies like Amazon Web Services, Cisco, Google and Facebook. CII, set up in April 2014, was a response to the Heartbleed bug.

Mozilla said the role of SOS is complementary as it targets “a different class of OSS projects with lower-hanging fruit security needs.”

To qualify for SOS funding, the software must be open source or free software, with the appropriate licenses and approvals, and users must actively maintain it. Some of the other factors are whether a project is already corporate backed, how commonly is the software used, whether it is network-facing or regularly processes untrusted data, and its importance to the continued functioning of the Internet or the Web.