Yesterday I wrote a story about millions of Samsung IoT that are vulnerable to attacks due to zero-day security holes. I have been extremely critical of IoT vendors ignoring the importance of updates and security, putting millions of users at risk. In the case of Samsung, what bothered me the most was that these devices are running Tizen OS, a Linux-based open source operating system that’s hosted by the Linux Foundation.
I reached out to the Linux Foundation to discuss the security of the project. Here is an edited version of my interview with Nicko van Someren, Chief Technology Officer, The Linux Foundation.
SB: Being a Linux Foundation project, what’s the right place for researchers to report security bugs?
NvS: Like all LF projects, the right place for researchers to report vulnerabilities is directly with the project. Each project operates independently and The Linux Foundation provides support and assistance when asked. As with most open source projects, Tizen operates both a bug tracker system and mailing lists for discussing issues.
SB: The story of millions of insecure Tizen OS devices also dents the reputation of the foundation and Tizen OS in general, so what is the foundation doing to ensure that the bugs are patched?
NvS: In this case, the researcher didn’t contact anyone in the Tizen open source community or anyone who works on the Tizen platform, so we’re still trying to get details. No report has been shared. We are not sure whether this is an issue with the Tizen open source code or whether it’s other software that Samsung adds to Tizen products. If the latter is the case, it would have nothing to do with the open source project. Samsung will have to comment on that.
Security bugs are a part of software development. To respond to this, nearly three years ago The Linux Foundation formed the Core Infrastructure Initiative. The CII’s mission is to ensure that the open source code that underpins business today is secure and resilient. The CII has been working with several Linux Foundation projects to drive improvements in security process as well as overall code quality. To date the CII has not been directly working with Tizen, but we intend to do so if these vulnerabilities turn out to be in the open source code.
As specific security bugs are found they are typically fixed quickly and we will be tracking all of the bugs found in this case. I think that a more important issue here is to work with the Tizen team to ensure that they have a more thorough security process in place to make sure bugs are easier to report in a way that they can be acted upon in a timely manner, and that the code is easier to keep bug free.
More important than the specific bugs revealed by this specific report, it is important that we find ways to make all code more secure and keep it secure. The CII’s Security Best Practices Badge program is designed to help open source projects design, implement and follow a security process, which can reduce the number of bugs, make security testing easier and allow vulnerabilities to be patched more swiftly if they do slip through.
SB: Is there any system in place to ensure Linux foundation backed projects remain safe and secure?
NvS: The Core Infrastructure Initiative has introduced its free Best Practices Badges program that seeks to help open source software projects achieve better security, quality and stability. The Best Practice Badge uses an online assessment tool that determines which practices are relevant to a project, determines if they follow them and helps them to implement these practices as needed. This program is open to all open source projects, not just projects affiliated with The Linux Foundation.
As well as encouraging projects to follow the best security practices, the CII is also supporting the creation of powerful open source tools for security evaluation and testing. We have been funding the development of static analysis tools, fuzz-testing tools and a variety of other tools which enable projects to test their security posture. Of course since each Linux Foundation project operates independently the CII is not in a position to force any specific project to take up specific tools but we will offer the Tizen team this support if they would like to take advantage of it.