The CII (Core Infrastructure Initiative), a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project -- an effort to figure out what projects need support now, instead of waiting for them to break.
According to the current iteration of the survey, the programs most in need of attention are not previously cited infrastructure projects, but common core Linux system utilities that have network access and little development activity around them.
What to fix first?
The Census, with both its code and results available on GitHub, assembles metrics about open source projects found in Debian Linux's package list and on openhub.net, then scores them based on the amount of risk each presents.
Risk scores are an aggregate of multiple factors: How many people are known to have contributed to the project in the last 12 months, how many CVEs have been filed for it, how widely used it is, and how much exposure it has to the network.
Core Infrastructure Initiative
Projects listed in the CII's Census are analyzed according to the risks they pose. Popular projects with few contributors, known issues, and network access rank most highly.
A copy of the census data downloaded from GitHub on Friday morning showed 395 projects in the census, with the top-listed projects to be core Linux utilities. Ftp, netcat-traditional, tcpd, and whois all scored 11 out of a possible 15.
High scores in the survey, said the CII in its page on the project, don't mean a given program should be ditched, or that it's to be presumed vulnerable. Rather, it means "the project may not be getting the attention that it deserves and that it merits further investigation."
Not what you'd expect
To that end, some major projects with known security vulnerabilities can be found on the list, but are ranked fairly far down.
Apache's https Web server, a large and "vitally important" project with many vulnerabilities tracked over the years, ranked as an 8 in part because "there's already large development & review team in place." Busybox, a project found in many embedded Linux applications that has been implicated before with security concerns, ranked even lower, at 6.
One issue that bubbles up regularly in the comments is the complications posed by dependencies between projects. For the libaprutil1-ldap project (with a score of 8), the notes indicate that "the general Apache Portable Runtime (APR) appears to be actively maintained. However, it's not as clear that the LDAP library in it is as actively managed." Likewise, anything that uses the Kerberos authentication system -- recently implicated in a security issue -- typically has "Kerberos" in the notes.
For the CII, the Census is a move away from simply sponsoring known-broken projects or those visibly in jeopardy -- OpenSSL, the Network Time Protocol, and GnuPG, the last of which lacked consistent funding as of late. Proactively going after projects that don't yet appear to pose a risk may not seem as heroic, but is a more sensible tactic than waiting for them to fall apart first. (Another CII-supported initiative, The Fuzzing Project, proactively looks for bugs in software via automated testing.)