DHS Open Source Hardening Project
McGuffey, David C.
DAVID.C.MCGUFFEY at saic.com
Tue May 20 13:31:55 UTC 2008
On Mon, 19 May 2008 20:15:15 -0700 Les H wrote:
>
> On Mon, 2008-05-19 at 14:13 -0400, McGuffey, David C. wrote:
> > I understand that DHS is funding an effort to use commercial tools
to
> > find bugs in open source software. I guess the official name is
> > Vulnerability Discovery and Remediation, Open Source Hardening
Project,
> > but the common handle seems to be simply Open Source Hardening
Project.
> >
> > There was an interesting article at ZDnet...some pros and some cons:
> > http://news.zdnet.com/2100-1009_22-6025579.html
> >
> > Question...is the Fedora development community benefiting from this
> > effort?
> >
> > Dave McGuffey
>
> Did you look at the date of the article?
>
> Regards,
> Les H
>
Yes, but it was mentioned at the 8th Software Assurance Forum two weeks
ago in and among several presentations concerning open software
security. So...apparently the program is still going on.
There were other presentations about automated tools that scan through
both source and compiled binaries looking for actual or potential
vulnerabilities. In some cases the code is so complex, that the tools
can only flag a block of code for further human review. Seems that a
lot of effort is going into automated tools, because a significant
percentage of the attendees at the SWaF seems to believe that the
universities are doing a poor job of training software engineers, and
the "cost schedule" mantra of software development managers runs counter
to security.
My question remains...are the open source developers whose contributions
make it into Fedora benefiting from the DHS program or any of the other
tool development efforts?
Dave McGuffey
Principal Information System Security Engineer // NSA-IEM, NSA-IAM
SAIC, IISBU, Columbia, MD
More information about the fedora-list
mailing list