Read this email in full screen mode		Email this saved web page to someone else
Reply to this email		Email any web page to anyone

Subject   Homeland Security helps secure open-source code In reference to a saved copy of http://news.com.com/Homeland+Security+helps+secure+open-source+code/21 (see below)

From To Note Sent Augux  You   new no note  Reply    Jan 11, 2006   5:25pm

News.com Mobile for PDA or phone Login: Forgot password? | Sign up CNET tech sites: Product reviews | Shop | Tech news | Downloads | Site map Corrections Blogs Extra Readers' Choice My News Front Door Business Tech Cutting Edge Access Threats Media 2.0 Markets Digital Life Options Homeland Security helps secure open-source code By Joris Evers Staff Writer, CNET News.com Published: January 10, 2006, 5:05 PM PST TalkBack E-mail Print TrackBack The U.S. Department of Homeland Security is extending the scope of its protection to open-source software. Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com. The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday. Scrubbing for bugs List of open-source software to be analyzed in the Department of Homeland Security-sponsored project. Abiword Apache BerkeleyDB Bind Ethereal Firebird Firefox FreeBSD Gaim Gimp Gtk+ Icecast Inetutils KDE Linux Mplayer MySQL OpenBSD OpenLDAP OpenSSH OpenSSL OpenVPN Proftpd QT Samba Squid TCL TK wxGtk Xine Xmms Xpdf Source: Coverity In the effort, which the government agency calls the "Vulnerability Discovery and Remediation, Open Source Hardening Project," Stanford and Coverity will build and maintain a system that does daily scans of code contributed to popular open-source projects. The automated system should be running by March, and the resulting database of bugs will be accessible to developers, they said. The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system. "We're going to make automatic checking deeper and more thorough using the latest research and apply this to the open-source infrastructure to make it more robust," said Dawson Engler, an associate professor at Stanford who is working on the project. "A lot of the nation's critical computing infrastructure is open source, and it isn't really checked in an automatic way." Symantec will provide security intelligence and test the source code analysis tool in its proprietary software environment, said Brian Witten, the director of government research at the Cupertino, Calif., security software vendor. "Our role here is to help Stanford and Coverity aim their research and development to best help commercial software developers," Witten said. "By applying the Coverity tools to both open-source and proprietary software, Coverity is getting feedback from two very different worlds of software development." Playing catch-up to commercial code The project will expand an existing Coverity initiative that already provides Linux developers with regular bug data. "We will take that to the next level and pull together dozens of major open-source projects, and do full analysis of those code bases," Coverity co-founder David Park said. Commercial software makers commonly use source code analysis tools, either bought or homegrown, to vet their code before releasing a product to market. However, such tools are often too expensive for open-source developers, experts said. Instead, open-source programmers eyeball each other's code or check their own work manually. The effort will help put open-source development on a par with commercial software efforts, Park said. "The open-source community does not have access to those kinds of tools, so we are trying to correct that to some extent," he said. The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said. This could be a boon for open-source security, said Stacey Quandt, an analyst with Aberdeen Group. "The benefit for open source is that it enables it to be up to date with commercial technology innovation," she said. At the same time, proprietary software stands to gain as well, Quandt said. "While these efforts will help secure open-source software, the improvement in Coverity's tools can be used to also improve the security of proprietary software," she said. But the real winner is Coverity, Quandt said. The company's technology is based on Stanford research, and Stanford's Engler is closely affiliated with the business. The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said. "It is regrettable that DHS has decided once more to ensure that private enterprise profits from the funding, while the open-source developers are left to beg for the scraps from the table," he said. "Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?" The Department of Homeland Security could not immediately comment. Engler defended the initiative, noting that the Department of Homeland Security is effectively paying for a commercial bug-checking tool to be applied to open-source software. "The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," he said. TalkBack E-mail Print TrackBack Read more on this story's topics and companies Add to My News | Create an alert Open source Add to My News | Create an alert Security Add to My News | Create an alert Federal government Add to My News | Create an alert Software engineering/development Add to My News | Create an alert Symantec Corp  6 comments Post a comment TalkBack MS probably won't like this Richard Bailey   Jan 11, 2006, 8:05 AM PST Homeland Security, eh? Audrey Althaus   Jan 10, 2006, 8:16 PM PST Why Symantec? Epileptic Manatee   Jan 10, 2006, 7:21 PM PST Give the money to a better cause N3td3v   Jan 10, 2006, 5:26 PM PST  Read more comments > Did you know? Select a tab below to set your default view. The big picture Related stories What's hot Latest headlines Install Flash 7 and get the Big Picture! The Big Picture is a new feature which requires Flash 7. The Big Picture displays the relationship between the newsmakers, companies, and topics reported here at News.com. Learn more about the Big Picture. Please upgrade to the latest version of the Flash Player. Related news Experts question Windows win in flaw tally January 6, 2006 Mozilla takes wraps off Firefox 1.5 November 29, 2005 Apache expands Web services reach August 21, 2005 Key bugs in core Linux code squashed August 3, 2005 DNS servers--an Internet Achilles' heel August 3, 2005 Study: Few bugs in MySQL database February 4, 2005 Security research suggests Linux has fewer flaws December 13, 2004 Microsoft: Linux may mean price cuts, fewer sales September 3, 2004 Will code check tools yield worm-proof software? May 26, 2004 Pandora's box for open source February 12, 2004 Governments vote against Microsoft January 22, 2004 Open-source databases gaining favor January 5, 2004 Get this story's "Big Picture" > From News.com Extra Analysis Finds MySQL Code Low on Bugs from eWeek Linux has fewer bugs than rivals from OSNews Federal flaw database commits to grading system from The Register Software-quality tools focus on concurrency, ease of use (InfoWorld) from Yahoo! News Get more news around the Web with News.com Extra > Related white papers IT Security Solutions for Government Hewlett-Packard Why Linux Is Good For ISVs IDC RadioShack Saves Millions by Choosing Windows over Linux  (Case Study)Microsoft Why a Leading Theater Chain Chose Windows XP Embedded over Linux  (Case Study)Microsoft HP Scalable Visualization Array: Using Industry Standard Technology and Open Source Software to Add Visualization Capability to Clusters of Linux Systems Hewlett-Packard More results for open source > Related videos Get the lowdown on the Flickr photo service December 16, 2005 Something exciting coming soon to Yahoo's Flickr? Hear Caterina Fake's terse answer. December 15, 2005 Yahoo users "engaged" says Flickr's Caterina Fake December 15, 2005 Watch more videos > Scan the 15 newest and most read stories on News.com right now. Learn more Updated: 11:22 AM PST View as: Headlines Graphic Hottest story: Create an e-annoyance, go to jail Macworld: Intel-based Macs built for speed Jobs: New Intel Macs are 'screamers' Blu-ray, HD DVD players: Clunky, unimpressive Microsoft's file system patent upheld Fans jazzed by Apple's quick delivery Apple's share price an in-joke for Intelites Analyst: Dell likely to adopt AMD chips Google Video Store goes live New Macs--Intel inside, but not outside Old, new iMacs available for same prices Downloads turn music fans "apathetic"? Microsoft developers to get dose of 'Live' Deal of the day: Nikon Coolpix P2 for $240 New: E! swings 'Vine' online Legend: Older Newer Larger boxes indicate hotter stories. E! swings 'Vine' online New Wi-Fi standard back on track Macworld 2006: Jobs does it again Quote of the day: Biodiesel--frozen or on the rocks? Analyst upgrade sends Rambus trade soaring VeriSign to acquire CallVision Telemedicine slashes hospital stays London to test antiterror tech for commuters AOL hasn't given up on growing subscriptions EA to offer games to Amp'd Mobile Fujitsu to build new chip plant Is it safe yet? Not really FAQ: The new 'annoy' law explained Tuning tech catches on with guitarists Overhaul of GPL set for public release See all headlines from the past week > Resource center from News.com sponsors Concerned About Computer Security? Education is the best defense Computer security threats are part of daily life. But today's malware techniques present unprecedented challenges for businesses of all sizes. Learn how to protect yourself. Learn from the experts>> Vulnerability Exploits Break Records - A Special Report by Trend Micro Download the free white paper here>> The Future of Bot Worms - What we can expect from worm authors in the coming months Download the free white paper here>> Markets Market news, charts, SEC filings, and more Related quotes Symantec Corp. 19.82 0.71 (3.72%) DJIA 11,011.58 0.00 (0.00%) S&P 500 1,291.83 2.14 (0.17%) NASDAQ 2,327.00 6.68 (0.29%) CNET TECH 1,462.03 6.21 (0.43%)   Symbol Lookup Daily spotlight Previous Next Video: Macs go into orbit Carina Software's Voyager 4 CD-ROM lets Mac users view the sky, from an enhanced backyard perspective, without setting foot outside. Newsmaker: Is it safe yet? Not really Check Point Software Technologies CEO Gil Shwed takes a hard look at the changing face of cybersecurity. Images: The 21st-century taxicab New York's taxis don't have to be retrofitted sedans from Detroit. They might even be designed for the passenger's benefit. A DVD combo? Don't hold your breath High Impact Intellectual property issues and technological pride will likely keep Blu-ray and HD DVD camps far apart for years. Reporter's notebook: Lowdown on hi-def DVD players Photos: Old-school looks Photos: Macworld up to the minute The enthusiasm builds as Apple CEO Steve Jobs takes the stage at Macworld Expo 2006. Perspective: Can Mark Cuban sing and dance? Billionaire tech execs are exchanging cash for cachet via the movie business, says CNET News.com's Michael Kanellos. Out of the frying pan, into the car Is it time to top off your car with veggie oil? Not quite, but the biodiesel movement is getting into gear. Video: Jobs shows off the MacBook Pro Apple Computer CEO Steve Jobs debuts an Intel-based laptop that he says is four to five times faster than the PowerBook G4. Video: iPod on wheels Photos: Hot cars and a cool massage A tribute to a legendary Lamborghini and a luxury Lexus heat up the North American International Auto Show. Carmakers park in digital living room Photos: Cars built to entertain Video: New iMac uses Intel's dual-core Duo chip At San Francisco's Moscone Center, Apple Computer CEO Steve Jobs debuts an updated, Intel-based iMac. Video: Apple launches iWeb Apple chief Steve Jobs announces a new program for publishing Web sites. It includes templates, blog and podcast tools, and one-click publishing. Perspective: The next Sarbanes-Oxley? The rules are still evolving, but RiverOne CEO Chris Smith says tech companies will need a more nuanced approach. Site map | How to advertise | Contact us | Send us tips | News.com mobile | E-mail newsletters | All RSS feeds | XML | Linking policy | Content licensing | Corrections BNET | CNET.com | CNET Channel | CNET Download.com | CNET News.com | CNET Reviews | CNET Shopper.com | Computer Shopper GameSpot | International Media | MP3.com | mySimon | Release 1.0 | Search.com | TechRepublic | TV.com | Webshots | ZDNet Copyright ©2006 CNET Networks, Inc. All Rights Reserved. Privacy Policy | About CNET Networks | Jobs | Terms of Use <a href="http://my.jkn.com/go?e=4251435&amp;p=WMHZMRTKDYIOTQR&amp;f=54375307&amp;l=http%3a%2f%2fad%2edoubleclick%2enet%2fclick%253Bh%3dv5|336a|3|0|%252a|r%253B22671576%253B1%2d0%253B0%253B11948610%253B4307%2d300|250%253B13496193|13514089|1%253B%253B%257Esscs%253D%253fhttp%3a%2f%2fwww%2elivemeeting%2ecom%2ftrial%3fpromocode%3d4214" target="_blank"><img border="0" src="http://m2.2mdn.net/1092524/msf56627_pitt_300x250.gif"></A> > > Popular products from CNET.com   Palm Treo 650 (Cingular, GSM/GPRS) Check prices Read review Panasonic TH-50PHD8UK Check prices Read review Canon PowerShot SD450 Check prices Read review Canon PowerShot A610 Check prices Read review Casio Exilim EX-Z750 Check prices Read review Panasonic PV-GS250 Check prices Read review Canon EOS Digital Rebel XT with 18mm-to-55mm lens (silver) Check prices Read review Palm TX Check prices Read review Samsung MM-A900 (SPH-A900) Check prices Read review Sony KDS-R60XBR1 Check prices Read review • See all product reviews provided by CNET.com <a href="http://my.jkn.com/go?e=4251435&amp;p=WMHZMRTKDYIOTQR&amp;f=54375307&amp;l=http%3a%2f%2fad%2edoubleclick%2enet%2fclick%253Bh%3dv5|336a|3|0|%252a|n%253B24480836%253B0%2d0%253B0%253B12321882%253B4307%2d300|250%253B13713521|13731417|1%253B%253B%257Esscs%253D%253fhttp%3a%2f%2fwww%2edice%2ecom" target="_blank"><img border="0" src="http://m2.2mdn.net/982522/Dice_Codesalaryasp_300x250b.gif"></A> Sponsored Links Alloy Software IT Infrastructure Managemet suite - Asset Management and Help Desk www.alloy-software.com APC InfraStruXure Award-winning integrated, modular on-demand data ctr architecture. www.apc.com IT Platform Management Reduce IT infrastructure TCO w/ Intel® Active Management Technology www.intel.com (About)

Complain Instructions If this message is spam, please help us stop abuse of our network. Please complain by replying to this email with only "complain" in the subject line, or click here. Communication Instructions You can reply through your email program. If you do, your reply will be sent to ALL recipients. (Note that images and attachments will be automatically removed.) To reply to fewer recipients and other reply options, click "Reply" anywhere in the email. For proper email handling and formatting, DO NOT forward with your email program. Instead, click "Email this saved web page to someone else" here or on the top of this email. Email Preferences Your local date & time is Wednesday, January 11, 2006 / 5:25pm. Click here to adjust your local time. Do you want to receive fewer discussion emails? Click here to change your delivery preferences. This email was sent to guniverso.augux-not@blogger.com