US DHS funds security for open source

The U.S. Department of Homeland Security (DHS) has awarded a US$1.24 million three-year grant to Stanford University and software vendors Coverity Inc. and Symantec Corp. The grant will fund daily security audits and analysis of more than 40 open-source projects including Apache, Linux, Mozilla, MySQL and PostgreSQL.

Known as the Vulnerability, Discovery and Remediation Open Source Hardening Project, the grant forms part of a broad initiative by the DHS Science and Technology Directorate to encourage the development and deployment of technologies to protect the country's key computer systems networks, including the Internet, according to Coverity executives. The awarding of the grant was announced Wednesday.

Under the terms of the grant, Stanford will receive a total of $841,276 in funding over the three-year period, Coverity $297,000 and Symantec $100,000. Source-code analysis startup Coverity will receive the bulk of its funding, $237,000, in the first year of the grant, with the remainder of the money, $60,000, to be paid out equally over the two following years, according to Rob Rachwald, senior director of product and corporate marketing with Coverity.

Coverity will use the money to extend its Prevent software so it can analyze the source code of a wider variety of open-source projects for software defects and security vulnerabilities.

"We'll develop the [Prevent] tool so we're able to understand what the government needs in terms of defect detection, software reliability and software security," Rachwald said Wednesday.

Coverity's Prevent will carry out automatic daily security audits of the open-source projects and post the defects it finds in a public online bug database, according to Rachwald. Stanford will contribute staff to provide recommendations for developing secure open-source software in future. Among those contributing will be Dawson Engler, an associate professor of computer science at Stanford and a co-founder of Coverity, Rachwald said. Symantec will draw on its expertise in security software to suggest both best security practices for the U.S. government to adopt and how to deploy software in a secure fashion so as to lower the incidence of any attacks, he added.

Coverity plans to have the daily audits for an initial 40 open-source projects up and running by March, according to Rachwald. However, he expects more open-source projects to be added over time in response to requests by the DHS. Coverity is still determining exactly how it will present the bug database online. The company may use the same method it does with Linux with its http://linuxbugs.coverity.com Web site, which developers have to log into or else make the audits available via Stanford's Web site, he said.

"This is part of a trend where government is adopting a lot of the technology software companies already have," Rachwald said, pointing to the likes of McAfee Inc., Sun Microsystems Inc. and Symantec, which already use Coverity's Prevent technology.

The DHS did not immediately return calls for comment.

This is Coverity's first DHS grant, according to Rachwald. The company applied for the grant in December 2004.

Coverity's technology originated in Stanford's computer systems laboratory. The company, which has its headquarters in San Francisco, was founded in 2002.