oCERT and oss-security [LWN.net]

By Jake Edge
June 4, 2008

Two recently announced organizations, the Open Source Computer Emergency Response Team (oCERT) and Open Source Software Security (oss-security), are both looking to assist projects with security issues in a complementary way. Each is focusing on different kinds of problems that free software projects face when trying to secure their code.

oCERT is modeled on the various national CERT organizations, but focused on free software:

The service aims to help both large infrastructures, like major distributions, and smaller projects that can't afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

In addition, oCERT is doing vulnerability research on free software projects. So far, they have released four advisories after coordinating with the affected projects and distributions. It is a way for team members—or anonymous researchers—to collect their vulnerability research and push it through the process.

The oCERT team consists of five security professionals from Inverse Path, Google, and Intel, along with a two-person advisory board. Various projects have also signed up as members including several Linux distributions, security and other free software tools, as well as OpenBSD. In order to become a member, an project or organization must meet some fairly stringent membership requirements that include agreeing to the disclosure policy. Others can submit vulnerability information without becoming a member.

oss-security is more of an open group, without any formal membership, that is looking to foster more discussion of security issues:

The purpose of oss-security is to encourage public discussion of security flaws, concepts, and practices in the open source community. We don't want to simply be an information clearinghouse, or to replace any of the current security lists and groups. The goal is to fill an existing vacuum by encouraging active participation of those interested in the ideas and unique challenges in securing Open Source software. This includes activities such as flaw discovery, understanding, reporting, and overall best practices.

The oss-security mailing list is one of the focal points of the group's efforts. Some of the topics currently being discussed are helping projects with code reviews, getting CVE IDs assigned for specific vulnerabilities, and the IP address change of the "L" root nameserver.

The oss-security wiki seeks to gather relevant security information from projects and vendors in a single location. This includes security contacts, helpful mailing lists, bug tracker locations, distribution security patch repositories, and the like. If it gets fully populated and is kept up-to-date, it will be a tremendous resource for the community.

Up to a certain point, more organizations looking to improve free software security can only be a good thing. Each of these seems to have a focus that is not met by existing groups, so they can hopefully fill a need in the community. The private, vendor-sec mailing list has long been used by distributors, whereas oCERT and oss-security are more focused on the project side of the equation. With luck, that will lead to better code and more coordination for projects and distributions.

(Log in to post comments)