Open source gets secure

Two new efforts to certify the security capabilities of open-source products show an increasing interest among federal agencies to use the software for mission-critical work. In one project, a team that includes Hewlett-Packard Co. of Palo Alto, Calif., and a division of IBM Corp., Armonk, N.Y., is working to certify an encryption protocol widely used in securing Web pages. In the other, a Navy team funded by the Defense Advanced Research Projects Agency has released software that allows Linux computers to be forensically audited across a network in accordance with military standards.Both sets of software would be useful for agencies and contractors involved in the Defense Department's Global Information Grid and other network initiatives that require hardware and software to pass stringent security tests. "From an open-source business perspective, we have to cross those barriers to make viable offerings," said John Weathersby, chairman of the Open Source Software Institute.The Oxford, Miss.-based nonprofit institute was founded in 2001 to promote government use of open-source software, or software in which the source code is included with the software package. Its backers include Hewlett-Packard, IBM and Intel Corp., Santa Clara, Calif. Government use of Linux, one of the most prominent open-source programs, appears to be increasing. IBM reports that more than 75 of its government customers are using Linux solutions, including the Federal Aviation Administration and the departments of Agriculture and Energy. In the first project, a team led by the institute has started the process to get FIPS 140-2 certification for a popular open-source software tool kit called OpenSSL. OpenSSL is the open-source implementation of the secure socket layer, a widely used Web protocol to encrypt sensitive information, such as credit card numbers.The Federal Information Processing Standard Publication 140-2 standard specifies the security requirements that cryptographic modules must meet to be used in government for sensitive information. The National Institute of Standards and Technology's Cryptographic Module Validation Program is the certifying body for FIPS 140-2.Gary Gross, a Hewlett-Packard security evaluation program manager, is the project's technical lead. Other participating members include the Ottawa-based Domus IT Security Laboratory, which is a division of IBM; the Annapolis, Md.-based PreVal Specialists Inc.; and volunteers from the OpenSSL Project.In the DARPA-funded project, the Navy-led team has released software for auditing Linux-run equipment over a network. The software, Secure Auditing for Linux, remotely detects and reacts to system intrusions and disruptions of Linux-run services. It also collects operational data for forensic analysis should a break-in or other incident occur.The software monitors all of a computer's operations from across a network, alerting designated parties whenever an event of concern takes place. The package also provides forensic-grade auditing capabilities. Version 1.0 of Secure Auditing for Linux provides auditing capabilities that would bring a Common Criteria-level of auditing for the Linux operating system, something it does not usually offer.Common Criteria is a set of internationally recognized standards for evaluating the security of IT products. The Defense Department requires Common Criteria approval for all hardware and software products that handle sensitive information. IBM, Oracle Corp. and Red Hat Inc. are each funding separately Common Criteria testing versions of the Linux operating system, Weathersby said. The DARPA award for the secure auditing software was made under the Composable High Assurance Trusted Systems program, which funded high-assurance operating system technologies to protect computer systems from constant attack.Participants in the team include members from the Navy's Space and Naval Warfare Systems Center.For Weathersby, such initiatives show that government agencies use of open-source software is considered more and more for mission-critical work."We're working with folks right now within branches of the military who really want to use some of this technology, but until [the software gets] compliance, they are prohibited from using it," Weathersby said. *Staff Writer Joab Jackson can be reached at jjackson@postnewsweektech.com.