Seeing as how the open source origins of the Internet were first wrought by the Defense Dept., it seems poetic justice (if that's the phrase) that the Dept. of Homeland Security is now funding the "hardening" of critical open source software, News.com reports.
Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis.
The project will involve scanning builds for security holes and building a database of bugs, sources said.
The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.
Coverity hailed the funding, saying it would make proprietary software that relies on its database more secure as well, but the Apache Foundation and other OSS developers note that they're not getting any help n fixing the bugs.
"It is regrettable that DHS has decided once more to ensure that private enterprise profits from the funding, while the open-source developers are left to beg for the scraps from the table," Apache Foundation's Ben Laurie said. "Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"