Open source software is no longer limited to applications running on computers and servers. It's used in mobile devices, entertainment systems, medical equipment, and connected cars, to name a few. With open source software used by governments and practically every industry sector, finding and fixing vulnerabilities has moved beyond an "it would be nice" situation solidly into the "we have to do better" camp.
Toward that end, Mozilla launched The Secure Open Source (SOS) Fund to help pay for security auditing, remediation, and verification for open source software projects. As part of the program, Mozilla committed to contracting and paying security firms to audit projects' code, working with the project maintainers to support and implement fixes, and paying for verifying the remediation work to ensure bugs have been addressed. Mozilla will also work with the maintainers to manage vulnerability disclosure. Mozilla supplied The SOS Fund with $500,000 in initial funding and encouraged other companies and governments to support the program by contributing additional funds.
"We challenge these beneficiaries of open source to pay it forward and help secure the Internet," Mozilla said.
The discovery of Heartbleed in OpenSSL and Shellshock in Bash showed that open source software wasn't necessarily more secure than closed source applications. The idea that more eyeballs looking at the code meant vulnerabilities would be found quickly breaks down if everyone assumes someone else is looking. Some projects were tremendously popular, creating a situation where many people trusted and relied on code no one had vetted. Many people realized for the first time exactly how underfunded and understaffed some popular projects were, such as the fact that OpenSSL had only two part-time developers at work.
Especially concerning -- more than two years after Heartbleed -- there are still widely used open source projects with a single developer or two that don't have corporate sponsorship and rely on volunteer donations. These projects frequently don't have the resources or funding to focus on application security basics, to perform regular testing and remediating found bugs. Some of the projects can be found in critical applications, networking infrastructure, and services. Vast swaths of the internet rely on open source technologies. As much as 30 percent of deployed software in the Global 2000 is open source, and most modern applications -- even commercial closed-source ones -- include open source components.
"Adequate support for securing open source software remains an unsolved problem," Mozilla noted.
Fixing issues in open source software
As part of the Mozilla Open Source Support program, The SOS Fund will cover the costs of the audits themselves and help with coordination and other types of support for various widely used open source libraries and programs. Mozilla has already supported audits for PCRE (Perl Compatible Regular Expressions), a fork of the libjpeg codebase libjpeg-turbo, and the phpMyAdmin web-based admin tool for MySQL databases. The effort uncovered 43 vulnerabilities across the three projects. Mozilla worked with Cure53 for the PCRE and libjpeg-turbo's audits, and with NCC Group for the phpMyAdmin's audit.
Sign up for CIO Asia eNewsletters.