Centralized Security Reporting for Open Source

In a community as widespread and decentralized as open source, how do you coordinate information about software vulnerabilities?

For years, such efforts largely have been piecemeal: There are bug-tracking systems, security mailing lists and the U.S. government’s Computer Emergency Response Team (CERT) efforts for disclosing major security vulnerabilities.

Now, major open source industry players like Novell and Google are lining up behind a new option: open source CERT, or oCERT.

While not related to US-CERT or its international offshoots — aside from licensing the CERT name and occasionally passing along information — oCERT shares a similar goal in working to consolidate open source security reporting.

That’s an element of the open source community that’s emerging as critical amid a wider climate of heightened awareness around IT security issues of all kinds. And with open source’s “intrinsic decentralized nature,” a new, centralized body may be just the answer, according to Andrea Barisani, oCERT’s founder and project coordinator.

“We think something like oCERT is an effort that can help the open source community … with a respectable point of contact and team force that can provide help to anyone that needs to disclose or investigate security issues,” Barisani told InternetNews.com.

Already, oCERT has the backing of many notable vendors and projects, with Novell, Google, Gentoo Linux, Mandriva, SNORT and Wind River having signed on as official members.

Linux leader Red Hat is not among them, however — but that doesn’t mean the company won’t participate in the effort.

“Red Hat has working relationships with many Computer Emergency Response Teams across a number of countries, and it is not appropriate for us to endorse one over another,” Mark Cox, director of the Red Hat Security Response Team, told InternetNews.com.

“However, we do see the value in a service such as promised by oCERT and have worked with them since their inception both on their policies and specific security issues, and we intend to continue to do so, irrespective of formal membership.”

Open source vendor OpenLogic, which provides support services, also is not currently an official member of oCERT, though that could change at some point in the future, the company said.

Kim Weins, senior vice president of marketing at OpenLogic, told InternetNews.com that it currently does its own research on security vulnerabilities for a variety of mission-critical components within its library, such as servers and databases.

“We provide this information via e-mail alerts to customers as well as on our free OLEX Web site,” Weins said. Still, “we believe that additional security information, like that provided by oCERT, would be valuable to OpenLogic’s customers.”

Leveling the playing field

Meanwhile, Novell and its openSUSE Linux project have joined as official oCERT members, and are optimistic about the group’s prospects.

Page 2 of 2

Joe Brockmeier, openSUSE Community Manager at Novell, said the company is interested in supporting efforts to coordinate sharing vulnerability information to expedite reaction times.

“In particular, we want to support the exchange of vulnerability information between large vendors with full security teams as well as small projects with few or no dedicated security resources,” Brockmeier told InternetNews.com. “It’s very important to provide a level playing field for all of the players in the open source community, and we want to be a part of that.”

That’s also the key aspect that interested Brockmeier’s colleague Marcus Meissner, who leads the SUSE security team.

“The other security forums are for larger and more established vendors, but we want to make sure that independent researchers and open source projects have an avenue to participate in security forums as well,” Meissner told InternetNews.com.

Still, oCERT’s founder said that it doesn’t necessarily matter whether a project or vendor is an official member or sponsor.

“Our sponsors don’t get any form of ‘preferential treatment’ regarding their security reports or issues that might affect them, nor do sponsors have privileged access or any form of advance notification,” Barisani said.

oCERT and the international CERTs are not directly related. The CERT name itself is being used by the open source effort with the express permission of the original CERT at Carnegie Mellon University.

According to oCERT team member Rob Holland, Inverse Path — a consulting firm that employs both Holland and Barisani — signed a license on oCERT’s behalf, granting permission to use the term.

The CERT license outlines a few requirements for continued use — one being a disclaimer on the oCERT site due to the similarity of the URLs ocert.org and cert.org, Holland said.

“Other requirements were mainly related to keeping track of the services we claim to offer, intended to stop tarnishing of the reputation of the trademark,” Holland told InternetNews.com.

While oCERT does not have a direct organizational relationship with the US-CERT effort, the two organizations can share information. Barisani said oCERT would contact regional CERTs in cases in which it feels it may have useful information to share.

“It happened already once — I contacted US-CERT about an open source vulnerability that might affect some commercial software,” Barisani said. “US-CERT knows lots of commercial vendors and therefore, it felt appropriate. Other than this, there is no official interaction between us and other CERTs.”

Many Open Source projects have bug tracking databases like bugzilla to track security issues. oCERT’s founders said their effort isn’t intended to replace those efforts or even to compete with them.

Instead, they said the expectation is that projects and security researchers who discover flaws will contact oCERT directly, to help them coordinate a controlled release of the fix.

“Our effort is not so much about existing issues known to projects, but more to new security issues which are reported to us, or found by us, and that we help escalating and coordinating proper fixes amongst all affected projects,” Barisani said.

News Around the Web