DHS procures testing service for open-source apps

The Homeland Security Department has procured a bug testing service for popular open-source programs, one that will submit applications such as Apache and MySQL to a level of scrutiny enjoyed by many commercial software providers.

Open-source project leaders could use these results to fix software defects, while agency and critical infrastructure IT shops could monitor them to evaluate or take corrective action on applications.

"DHS realizes that much of the critical infrastructure runs on open source," said David Park, co-founder and vice president of marketing and business development for software testing company Coverity Inc. of San Francisco. "One of the reasons DHS has been behind this is that there hasn't been a centralized and comprehensive way of enforcing security and reliability" with many open-source projects, he said.

Coverity, along with Stanford University and Symantec Corp. of Cupertino, Calif., will execute the three-year, $1.2 million Vulnerability Discovery and Remediation Open Source Hardening Project. DHS' Science and Technology Directorate sponsored the work.

Stanford, which will get the majority of the funding, will investigate new techniques for analyzing complex sets of software code for critical defects, while Coverity will test 40 of the most widely used open-source applications, using the software that it currently provides to its private-sector customers.

Software to be tested includes the Linux operating system kernel, the Apache Web server, the MySQL database system, the Mozilla Web browser and the Secure Shell remote log-in.

The resulting lists of defects, along with their locations and root causes, will be posted on a Web site. This project will run independently of each project's own bug reporting mechanisms, Park said.

Although Coverity will run these tests at first, eventually it hopes to offer an automated testing service that developers can use themselves.

In addition to its commercial work, Coverity has already examined the 6 million lines of code that make up Linux, a volunteer effort that revealed more than 2,000 defects, many of which have been fixed, Park noted.

Park said the team has not settled on the final list of applications to undergo testing, nor has it decided when the site will go live.

Joab Jackson is a staff writer for Washington Technology's sister publication, Government Computer News.