SEATTLE -- How do you know if an open-source project is mature, well-staffed, and secure? Those are darn good questions with no easy ways to find the answers. Reputation alone won't cut it. OpenSSL's Heartbleed security hole blew the doors off that idea last year. So, the Core Infrastructure Initiative (CII), which enables companies and developers to identify and fund critical impoverished open-source projects, announced at LinuxCon that it's developing a Badge Program to promote projects that do security right.
This is a work in progress. The CII is seeking input from the open-source community on what criteria should be used to determine security, quality and stability of open-source software.
The first draft of the criteria is available on GitHub. This project is being spearheaded by David A. Wheeler, an open-source and security research expert who works for the Institute for Defense Analyses (IDA) and Dan Kohn, a senior CII adviser.
In this beta version, the criteria include general best practices combined with questions specific to security. These questions include such basics as: Does the project include an open-source license; a public version-controlled source repository; a general mailing list; an automated regression test suite; and at least one static source code analysis tool.
The CII hopes that the resulting badge system will encourage developers to think seriously about security. It's designed to be a simple, basic way for projects to showcase their commitment to security and quality. In short, it's a carrot to encourage the use of modern security programming techniques for open-source projects. The stick, of course, is a major disaster such as Heartbleed.
"By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also help developers to be able to quickly assess the health of a project that they depend on," said Emily Ratliff, Senior Director of Infrastructure Security at The Linux Foundation during a LinuxCon press meeting. "A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open-source projects. This will improve our global Internet infrastructure."
Kevin Fleming, a member of Bloomberg's CTO Office added that the point is to "teach people to do things better." And, in particular it's meant to reach those small open-source projects with only a handful of people who "don't work for Google, Bloomberg, or The Linux Foundation and don't want to either."
Pascal Cuoq, head of the Frama-C Project, a static C analysis tool agreed. "They [independent open-source developers] may be a little difficult; I can say that because I'm one of them."
That's not to say that even projects that follow best practices won't have bugs. They will. The idea is that badged open-source projects will have shown that they're better able than others to prevent, detect and fix them.
After that, the CII plans to try to educate independent developers about how to secure their software. These plans are very much up in the air.
Mark Cartwright, a Microsoft Security Engineering Center Group Program Manager, has suggested that the CII follow Microsoft's Security Development Lifecycle model. In this program, which was prompted by Bill Gates's 2002 "Trusted Computing memo," developers are educated about security and are encouraged to share bug reports with each other.
The problem with the Security Development Lifecycle model, as was quickly pointed out at the press conference, is it doesn't work. A case in point, Microsoft just issued yet another emergency Internet Explorer patch for all Windows versions.
That said, some aspects of Microsoft homegrown security plan, such as automated testing, would help make small open-source projects safer. Indeed, anything that will help automate security practices for open-source projects, particularly the smaller, vital ones, would be welcome.
Looking ahead the CII also hopes to determine best practices for creating secure open-source programs. Another problem, the CII knows, is that as vital open-source programmers grow older, we need to find, as Cuoq put it, a way for "The code to live beyond the original developers."
The CII is still sticking with its original course of providing funding for key developers to work full-time on open-source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The group is also continuing to accept grant applications. As it has since the CII was founded priority is given to underfunded open-source projects that support the largest amount of infrastructure.