CROSS: A step towards better open source security

Finnish security company Codenomicon announced a new initiative to assist open source software projects in finding security flaws. The Codenomicon Robust Open Source Software (CROSS) program is targeted at projects that are part of the infrastructure of the internet and by making their proprietary testing tools available to the projects, they hope to find critical security flaws before attackers do.

For Codenomicon, this is their second foray into assisting open source projects. In 2004, their tools were used by Red Hat engineers to find denial of service vulnerabilities (here and here) in Apache and OpenSSL. Unlike the previous effort, the CROSS program aims to work directly with the projects, allowing them to use the tools to find flaws. They are currently working with around 20 hand-picked projects, but Codenomicon hopes to add more projects down the road.

The projects selected represent diverse network protocols, with voice over IP, network storage, and routing specifically mentioned as participants. Lack of prior testing as well as "interesting" protocols were also cited as criteria used to help select the participants. The list of specific CROSS projects is not publicly available as both Codenomicon and the projects themselves are concerned that participants would suffer from increased 'black hat' scrutiny if they were identified.

Codenomicon's product line is a suite of network protocol testing tools called DEFENSICS that are an outgrowth of research done at the University of Oulu in the Secure Programming Group (OUSPG). The PROTOS project produced free software for protocol testing that is still available and is "widely used" according to Codenomicon CTO Ari Takanen. PROTOS is based around the idea of proactive protocol testing by injecting unexpected input into a protocol stream; in essence, fuzzing with some smarts behind the generated test data.

Codenomicon observed that free tools did not get the same attention from management that was given to relatively expensive commercial tools and DEFENSICS bridges that gap. In addition, the DEFENSICS suite builds upon the lessons learned with PROTOS, extending and enhancing the basic concept while making it faster. Because of their research background and some level of altruism, Codenomicon wants to give back to the open source community and CROSS is their means of doing that. Obviously they are hoping to gain some name recognition and good press, but they also seem to have a real interest in helping to secure the internet by finding flaws proactively.

Open source projects can generally use all the help they can get when it comes to finding security flaws. It is accepted as an article of faith that "many eyes make all bugs shallow", but that only works when those eyes actually focus on a particular project. Just opening the source does not magically attract the attention of security minded developers and that makes projects like CROSS very useful. The Codenomicon tools (and PROTOS before that) have been successful in finding flaws in the past and one can hope that this effort will similarly bear fruit. With luck we will see a number of security bug reports over the next few months that will credit CROSS. This effort is reminiscent of the Coverity's code analysis tools being used to assist open source projects and hopefully more companies decide to use our code as a testbed for their tools; it can only help both to get better.

---

(Log in to post comments)