DHS Open Source Hardening Project
hlhowell at pacbell.net
Tue May 20 17:50:53 UTC 2008
On Tue, 2008-05-20 at 09:58 -0400, McGuffey, David C. wrote:
> On Tue, 20 May 2008 02:28:27 -0500 Bruno Wolff III wrote:
> > On Mon, May 19, 2008 at 14:13:05 -0400,
> > "McGuffey, David C." <DAVID.C.MCGUFFEY at saic.com> wrote:
> > > I understand that DHS is funding an effort to use commercial tools
> > > find bugs in open source software. I guess the official name is
> > > Vulnerability Discovery and Remediation, Open Source Hardening
> > > but the common handle seems to be simply Open Source Hardening
> > >
> > > There was an interesting article at ZDnet...some pros and some cons:
> > > http://news.zdnet.com/2100-1009_22-6025579.html
> > >
> > > Question...is the Fedora development community benefiting from this
> > > effort?
> > I wouldn't expect there to be direct visibility to Fedora as that kind
> > of work is going to be upstream of Fedora. I am aware of Coverity
> > providing
> > information (though I am not sure if it was funded by DHS, it may have
> > been part of their marketing strategy) for some projects that have
> > in Fedora (e.g. Postgres).
> Thank you.
> I attended the 8th Software Assurance Forum a couple of weeks back and
> there were several presentations and a lot of discussion about applying
> automated tools to both source code and compiled binaries in an effort
> to reduce the vulnerabilities of software. Open source software was a
> hot topic. Many lauded it, and some (mostly from the big commercial
> vendors) trashed it.
> Most attendees seemed to agree that the universities are failing us by
> not teaching software security concepts at the undergraduate level. Many
> also agreed that being CMMI level 3/4/5 and having great software
> development environments were not a silver bullet to the problem.
> So...in light of those two big glaring problems/failures, automation is
> being attempted on a number of fronts, with the DHS program apparently
> being only one.
> Since I'm actively using Fedora at home and in an office lab, I was very
> interested in whether the DHS (or any) tool development program was
> providing a benefit to the open source community, and the security of
> the resultant products.
> Dave McGuffey
> Principal Information System Security Engineer // NSA-IEM, NSA-IAM
> SAIC, IISBU, Columbia, MD
The developers may know if they have used some aspect of this or not,
depending on the deployment.
My personal experience with programming is that little is taught of the
nuances of good programming, from structure design, to code linkage, or
even "best practices" (depending on your view point). Moreover
documentation seems left entirely out of the curriculum for engineering
of all kinds, so the resultant products are not able to be used
effectively without considerable research on the product, and lots and
lots of trial and error. Generically this is bad, but when applied to
security issues, and the relevant code structure required as well as the
means to access systems, it is a potential disaster especially since the
exploit may not exist for the gap left behind. I do endorse software
tools for diagnosis, but I know from experience that some forms of tool
generation while effective in approach are not used in application due
to overhead and time constraints.
Where would you recommend people go to find the best practices as you
know them, or as proposed by the panels. Also there is a false belief
that not exposing people to the errors is some form of protection. That
is Microsoft's approach, and it leaves the general public in the dark
about just how much exposure they have, but worse, since the bad guys
are bad guys, the restrictions against reverse engineering mean nothing
to them, leaving the condition that only the bad guys really know the
flaws and cracks in the system.
Just my two cents worth.
More information about the users