Linux Effort Targets Secure Code Development
As software bugs, vulnerabilities and other security gaps lead to a seemingly endless string of high-profile breaches, the Linux Foundation is expanding an infrastructure initiative to include a certification program and development tools needed to promote secure coding practices.
The upfront security efforts are part of a larger push launched last year by the Linux Foundation called the Core Infrastructure Initiative created in response to the Heartbleed bug, the vulnerability in the OpenSSL cryptographic library. Along with adding some firepower to the initiative in the form of two new cyber-security experts as advisors, the foundation said this week during its annual conference in Seattle it is initiating a "badge program" that would develop guidelines for bolstering the security of open source software.
“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” said Emily Ratliff, senior director of infrastructure security at The Linux Foundation. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure."
Ultimately, the certification effort could help ensure the "long-term viability of the open source community," Ratliff added.
The foundation said it would also introduce "pre-emptive tools and programs" to help the open source ecosystem and the companies who support it deploy secure coding practices.
It is also considering the creation of a "threat modeling fellow" position to spur the security effort along with a code-auditing specialist, according to Jim Zemlin, Linux Foundation executive director. Meantime, the initiative has added two advisory board members: Adam Shostock, a member of the Black Hat Review Board; and Tom Ritter, a security engineer with a digital security organization.
Skeptics wonder if the Linux Foundation effort is too little and too late. "Let's call this Series A funding," countered Zemlin. The goal is to create a "culture of secure coding practices," he added. "At least we are having a conversation about open source security."
The Linux Foundation launched a Census Project in July designed to identify and fund critical open source projects. The program identifies "at risk" open source Internet infrastructure projects and provides additional support and funding. "We want to move from being firefighter to [become] investors" in a set of best practices for open source, Zemlin explained.
One approach being funded under the infrastructure initiative seeks to promote use of certified code developed for mission-critical space, aircraft and power plant applications. "We know the best practices but we need to keep up with open source," noted Joel Sherrill, who helped develop a real-time operating system used on a Mars mission. Along with security, "the code needs to live beyond the original developers."
Among the backers of the initiative is Microsoft. "We want to minimize the friction involved in writing secure software," said Mark Cartwright, a group general manager at Microsoft tasked with overseeing its shift to secure open source coding.