Finnish security company Codenomicon
a new initiative to assist open source software projects in finding
The Codenomicon Robust Open Source Software (CROSS) program is targeted
at projects that are part of the infrastructure of the internet and
by making their proprietary testing tools available to the projects, they
hope to find critical security flaws before attackers do.
For Codenomicon, this is their second foray into assisting open source
projects. In 2004, their tools were used by Red Hat engineers to find
denial of service vulnerabilities
in Apache and OpenSSL. Unlike the previous effort, the CROSS program
aims to work directly with the projects, allowing them to use the tools
to find flaws. They are currently working with around 20 hand-picked
projects, but Codenomicon hopes to add more projects down the road.
The projects selected represent diverse network protocols, with voice over
IP, network storage, and routing specifically mentioned as participants.
Lack of prior testing as well as "interesting" protocols were also cited as
criteria used to help select the participants. The list of specific
CROSS projects is not publicly available as both Codenomicon and the
projects themselves are concerned that participants would suffer from
increased 'black hat' scrutiny if they were identified.
Codenomicon's product line is a suite of network protocol testing tools
called DEFENSICS that are an outgrowth of research done at the University
of Oulu in the Secure Programming Group (OUSPG). The
project produced free software for protocol testing that is still available
and is "widely used" according to Codenomicon CTO Ari Takanen. PROTOS is
based around the idea of proactive protocol testing by injecting unexpected
input into a protocol stream; in essence, fuzzing with some smarts behind the
generated test data.
Codenomicon observed that free tools did not get the same attention from
management that was given to relatively expensive commercial tools and
DEFENSICS bridges that gap. In addition, the DEFENSICS suite builds upon
the lessons learned with PROTOS, extending and enhancing the basic concept
while making it faster. Because of their research background and some level
of altruism, Codenomicon wants to give back to the open source community and
CROSS is their means of doing that. Obviously they are hoping to gain
some name recognition and good press, but they also seem to have a real
interest in helping to secure the internet by finding flaws proactively.
Open source projects can generally use all the help they can get when it
comes to finding security flaws. It is accepted as an article of faith that
"many eyes make all bugs shallow", but that only works when those eyes
actually focus on a particular project. Just opening the source does not
magically attract the attention of security minded developers and that makes
projects like CROSS very useful. The Codenomicon tools (and PROTOS before
that) have been successful in finding flaws in the past and one can hope
that this effort will similarly bear fruit. With luck we will see a number
of security bug reports over the next few months that will credit CROSS.
This effort is reminiscent of the Coverity's code analysis tools being used
to assist open source projects and hopefully more companies decide to
use our code as a testbed for their tools; it can only help both to get
to post comments)