Homeland Security moves to strengthen open source software

It’s no secret that the U.S. government, as most businesses are today, is a big consumer of open source. The question is, as more and more critical projects begin to rely on community-contributed code, how can the government be sure that the software it’s using meets its own standards for security and reliability?

“You’ve got a lot of [government] departments that are using open source,” says Rob Rachwald, senior director of marketing at Coverity , a maker of static software analysis tools. “There’s millions and millions of lines of code. And unless you get some sort of automated way to keep it under control and understand what the defects are, where the vulnerabilities might be, and a way to cleanse it, it just gets out of control.”

So last week the Department of Homeland Security (DHS) took action, issuing a grant of $1.24 million to be shared between Coverity, Stanford University, and security vendor Symantec. The Stanford team, working under associate professor Dawson Engler (himself a co-founder of Coverity), will develop a system to audit the most popular open source applications for software defects, using security intelligence from Symantec and Coverity’s testing software.

In traditional software QA testing, analysts run a set of test cases against their application and note whenever bugs, crashes, or unexplained behaviors occur. With static analysis tools such as Coverity’s, on the other hand, the application is never executed. Instead, the tools work by examining the program code itself. For example, if a programmer wrote a routine that allocated memory but forgot to write code to release those resources when they were no longer needed, Coverity’s tools would identify that defect by examining the source code.

“What Coverity’s looking for is logical, structural flaws in the programs,” Rachwald says. “If you wrote an algorithm and you input two numbers, 1 and 1, and the result comes out to 3, that’s not something that we’ll check for. The developers within a company have to make sure their algorithms work.”

But although static analysis can’t magically create perfect software, Rachwald says this type of testing lets programmers identify software defects much earlier in the software development process than the traditional runtime method allows. It also allows them to test a much greater percentage of their code in the same period of time. According to Rachwald, testing all 750,000 lines of code in the latest version of MySQL would take Coverity only about two hours.

The results of those tests will benefit not just the government, but any organization that relies on open source software for mission-critical work. Still, Rachwald says, making that defect information available to the open source community could still present a challenge. He believes that working with individual open source projects to make sure they receive defect reports in a way that’s useful and actionable will be a key role for Coverity in the DHS initiative.

“It obviously doesn’t make sense to scan something a hundred times if nobody’s going to touch it between those scans,” Rachwald says.

Addressing the defects in open source software is going to take more than just information, however. It’s also going to take money — which is why this initial DHS grant could be just the tip of the iceberg. As improving the quality of open source software becomes more and more in the best interests of the U.S. government, expect to see the government increasingly become not just a consumer of open source, but an active participant.