Department of Homeland Security ups its investment in open source security

A year ago the Department of Homeland Security contracted with Coverity, a maker of a source code analysis tool, to harden open source software. (Stanford University and Symantec are also involved.) Basically, developers at open source projects (not primarily affiliated with a corporation) can submit their code to scan.coverity.com and have it scanned for security vulnerabilities. The project, as announced today, has been very successful.

In the first year, developers fixed an average of 16 defects a day. Many of the new projects are so widely used that a single serious defect could affect millions of people. For example, Coverity added regular scans of zlib, a compression program used in more than 500 applications, including MSN Messenger, Microsoft Office, QuickTime and Apache. Other new projects include FreeRADIUS, a software application that provides secure authentication to 100 million users on the Internet and on business networks.

Because of the success of the project, DHS is expanding the program to an additional 50 projects, bringing the total to 150 projects under review (and 35 million lines of code).

All of which is very significant. But what I like best in the blurb is the fact that lots of proprietary software depends on the security of lots of open source software. So however much Microsoft and others may want to cast aspersions on open source software, they can’t realistically do it very much without bringing their own software under a cloud of doubt.

Could these proprietary companies rip out the open source software? Of course they could. But the fact that they’ve opted to use open source components says something: the open source software quality is very good and there is no compelling reason to not use them.