From the Office of Software Security
Computerworld’s EiC weighs in on a COMPUSEC issue:
Computerworld‘s Jaikumar Vijayan reported that the DHS is spending $1.24 million on a project designed to improve the security of open-source software (“DHS Funds Effort to Find Flaws in Open-source,” Jan. 16). The money is being paid to Stanford University, Symantec and source-code analysis vendor Coverity to build and maintain a database of bugs they find in open-source apps.
[Editor at large Mark] Hall wonders, as I do, whether that $1.24 million couldn’t have been better spent. He wonders, as I do, how much progress that money could yield in finding ways to improve, say, the security of containers coming into our ports or cargo being shipped on our airliners.
I don’t claim to be unfurling a patriotic flag by exposing some huge misdeed. But the DHS has unfurled a bright red flag of poor judgment here, and it can’t be allowed to wave unheeded.
My bottom line: Uncle Sam shouldn’t be in the software business. Remember Ada? People applaud NSA for their secure Linux project, but how does that jibe with their missions? Unless they’re going to start a secure Windows project, they’re not making a serious dent in computer security posture of the nation. Building a more secure OS is certainly an admirable goal, but what about apps? How do you account for user behavior? And there is this thing call the Internet . . .
As far as the wisdom of having such an ill-conceived project at DHS goes . . . one need not look far for stories of how dysfunctional DHS is (the people who are busting their @$$es there notwithstanding). Katrina, anyone? Immigration? Border Control? Even if someone can convince me that this is an important project that merits DHS attention . . . $1.24 million dollars? That’s less than a rounding error when it comes to our national security budget. That’s five mid-level SMEs and a little extra for the PM. How many volunteers are fixing a give open source package at any given time?