Heartbleed may have brought on a major case of heartburn last April for system admins worldwide, but a positive offshoot of the biggest of the Internet-wide bugs was that it opened a lot of eyes to the lack of support afforded even ubiquitous open source software projects.
Shortly after Heartbleed was discovered in OpenSSL, a consortium called the Core Infrastructure Initiative—initially backed by the Linux Foundation, Google, Microsoft, Facebook, Amazon, Dell and others—began funneling money into the OpenSSL project. The benefits were immediate for the maintainers of the crypto library who were able to fund two full-time employees and a dozen or so part-timers to get the code cleaned up and audited. Soon thereafter, money also began moving in the direction of OpenSSH, NTP, and GnuPG (GPG).
The CII on Thursday announced more help for under-funded and under-resourced open source projects via the release to open source of full source and data from the Census Project. Until recently, the tool was used internally to assess risks to open source software projects and helped CII determine which were in the most immediate need of support, or deprecation if suitable alternatives existed.
Along with a white paper written by Census Project coordinator David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA), the Census Project’s aim is to share metrics CII applies to identify which projects to help, and encourage contributions from the open source and security communities to sharpen its focus.
“Specifically, we want to look for critical projects that have matured and stabilized and are not seeing active development,” said Emily Ratliff, Linux Foundation senior director of infrastructure security to work on The Core Infrastructure Initiative. “We can look at them, reach out to the maintainers to see what’s going on, and if they need additional support. The Census Project collects data that’s needed, automates the process and prioritizes projects to look at. It’s also open to developers and students who may be looking for projects to contribute to; they can use it as well.”
The Census Project currently lists hundreds of open source software projects it’s analyzed, and some of the metrics used include the number of contributions made to a project and the number of CVEs posted against it, all of which factor into a risk index for each project that ranges from 0-16. The highest score on the list is 11; funded projects such as OpenSSL, OpenSSH client and server, and NTP, score out at 8. The metrics and scoring are explained in depth in Wheeler’s white paper.
Ratliff said that CII has already received suggestions for metrics based on those used in other open source projects, such as Fedora, an open source Linux-based operating system developed by the Fedora Project and sponsored by Red Hat. Fedora’s Florian Weimer, Ratliff said, suggested metrics used by the project that explain how a project is being used, security issues and whether maintainers are fixing bugs and patching vulnerabilities.
“This goes to the heart of what we’re looking for,” Ratliff said. “This is why we open sourced it; we want feedback and experimentation going forward. It can be a fun and interesting experiment when we try out different metrics.”
Ratliff said she hopes the Census Project will not only help identify projects that need help, but also make them more secure.
“I hope we get more contributions to projects that may be in limbo, or the deprecation of projects that are dead and unneeded, while making sure that mature and stable projects are getting attention,” Ratliff said, adding that the discussion of appropriate security metrics is equally important. “That discussion leads to best practices that open source communities should be following, and results in good, stable, strong, reputable projects.”