13

A client is asking my company to write up internal standards that open source software must meet before we will approve it for use on our workstations. Our policy has always been subjective and hard to quantify. We use very popular, highly reputable products like GPG, Ruby, and 7-Zip, and are wary of new, unproven projects. As part of a larger policy that also describes this "highly reputable" test, I would like to be able to point to a 3rd-party source that would provide some sort of rating of OSS products. While it's fairly easy to find sources that will tell you when a product is not considered secure, it seems more difficult to find a place that will tell you that it is. Does anyone know of a source that will give us some 3rd-party corroboration (or refutation) to our opinions that some product seems established and reputable?

Note that I'm aware of the arguments about the relative security of OSS vs closed source products, but it's not relevant here; the client is more wary of OSS and there's nothing I can do about that.

kcrumley
  • 233
  • 1
  • 5
  • What "relative security of OSS vs closed source products" are you referring to? See [Open Source vs Closed Source Systems](http://security.stackexchange.com/q/4441/33). – AviD Jul 17 '11 at 11:33

3 Answers3

11

You will likely not find too many people or groups who will vouch for OSS product's security because it could put them at risk of being legally liable. While reputation is a part of a measure, it is hard to quantify and people like hard numbers. Here are some factors you could consider.

Has it been independently reviewed?

Ok here's your numbers. Coverity Scan is a list of Open Source projects that undergo static code analysis. It show the number of defects detected, density, and fixed, and Ruby is on it. Look on SourceForge for the projects development status. the development status is self evaluated, but it gives you at least an idea of how the project views itself.

How is it developed? Are there people with security experience on the team? Do they do reviews before a release? What happens when the find problems before the release: do they release with a warning or hold the release until the flaw is fixed?

How good is their response to problems?

Most popular open source projects have a bug tracking system, and some have specific security issue systems. Check the bug or security tracker and see how quickly they respond to bugs or security issues.

Who else uses it?

If other companies like your client's use the software then you are assuming risk equal to your peers. If companies that have stringent security requirements use it then it lends credence to it's reputation (but of course it not a guarantee). Read Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense, however it is a little dated (2003).

What is it used for?

If you can say that the use is outside of anything security critical, and will be appropriately isolated then you don't need evidence of security robustness. Obviously this would need to be for use internally only, not on a publicly accessible server or computer.

landroni
  • 164
  • 7
this.josh
  • 8,843
  • 2
  • 29
  • 51
  • 2
    nice answer. Nitpick: I'm not convinced that Coverity Scan scores are correlated at all to security. – D.W. Jul 15 '11 at 06:03
  • 2
    @D.W. They are certainly not directly related to security, but they can be used as a measure of reliabilty of the code to perform as designed. Certainly some bugs may be security problems. So, detection and correction of bugs can provide assurance that fewer bugs will be discovered after release. – this.josh Jul 15 '11 at 07:44
  • 2
    Wow! Great set of questions! I'd also add - is the licensing acceptable for the use you intend? and I'd point out that in many cases you will never know very much about who else uses it as many companies and systems don't advertise their use of FOSS. – bethlakshmi Jul 15 '11 at 15:25
  • +1, very good perspective. I had 2 comments, but @D.W. and @bethlakshmi already got them :) – AviD Jul 17 '11 at 11:36
2

Here are two ways to get input of the sort you're looking for.

  • Ubuntu Linux distinguishes between packages it is willing to ship in the "main" repository, for which Canonical provides official support, and the "universe" repository, which is maintained by volunteers. The project vets packages in a way that is similar to the steps outlined in the answer by this.josh. Packages which are not in "main" are labeled (e.g. with "[universe]") in their entries at packages.ubuntu.com

  • Is it relied on by your suppliers (such that you already depend on it to some degree) or your peers? This can affect the amount of additional risk you face by relying on it.

nealmcb
  • 20,544
  • 6
  • 69
  • 116
-1

You may like to review the the CC. Although it will be exhaustive and bit too much for internal assurance of products, however you may only consider the portion which fits your organisation's requirements. CC outlines how Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance http://www.commoncriteriaportal.org/cc/ http://www.commoncriteriaportal.org/supporting/

RudraK
  • 87
  • 3
  • 1
    Almost no open-source project undergoes CC evaluation, due to extreme cost and uncertain value. – D.W. Jul 19 '11 at 20:56