RealTime IT News

Centralized Security Reporting for Open Source

In a community as widespread and decentralized as open source, how do you coordinate information about software vulnerabilities?

For years, such efforts largely have been piecemeal: There are bug-tracking systems, security mailing lists and the U.S. government's Computer Emergency Response Team (CERT) efforts for disclosing major security vulnerabilities.

Now, major open source industry players like Novell and Google are lining up behind a new option: open source CERT, or oCERT.

While not related to US-CERT or its international offshoots -- aside from licensing the CERT name and occasionally passing along information -- oCERT shares a similar goal in working to consolidate open source security reporting.

That's an element of the open source community that's emerging as critical amid a wider climate of heightened awareness around IT security issues of all kinds. And with open source's "intrinsic decentralized nature," a new, centralized body may be just the answer, according to Andrea Barisani, oCERT's founder and project coordinator.

"We think something like oCERT is an effort that can help the open source community ... with a respectable point of contact and team force that can provide help to anyone that needs to disclose or investigate security issues," Barisani told InternetNews.com.

Already, oCERT has the backing of many notable vendors and projects, with Novell, Google, Gentoo Linux, Mandriva, SNORT and Wind River having signed on as official members.

Linux leader Red Hat is not among them, however -- but that doesn't mean the company won't participate in the effort.

"Red Hat has working relationships with many Computer Emergency Response Teams across a number of countries, and it is not appropriate for us to endorse one over another," Mark Cox, director of the Red Hat Security Response Team, told InternetNews.com.

"However, we do see the value in a service such as promised by oCERT and have worked with them since their inception both on their policies and specific security issues, and we intend to continue to do so, irrespective of formal membership."

Open source vendor OpenLogic, which provides support services, also is not currently an official member of oCERT, though that could change at some point in the future, the company said.

Kim Weins, senior vice president of marketing at OpenLogic, told InternetNews.com that it currently does its own research on security vulnerabilities for a variety of mission-critical components within its library, such as servers and databases.

"We provide this information via e-mail alerts to customers as well as on our free OLEX Web site," Weins said. Still, "we believe that additional security information, like that provided by oCERT, would be valuable to OpenLogic's customers."

Leveling the playing field

Meanwhile, Novell and its openSUSE Linux project have joined as official oCERT members, and are optimistic about the group's prospects.