Blog Entry

RSS Feed Browse

oCERT: Volunteer Security Support and Response for OSS Projects

Written by Sam Dean - Apr. 03, 2008

Who ya gonna call? Ready for the third-party, volunteer open source software security police? Open source software is often criticized for not including the robust security features, and response to security issues, found in commercial software counterparts. In addition, code from smaller open source projects is often wrapped into code for bigger projects, which can introduce security issues where there were none before. Now, with backing from Google, several well-known security professionals have launched oCERT--a public effort to provide security handling support and response for open source projects.

Just as various CERTs offer services in respective countries for security support and incident response, oCERT is intended to function as a replacement for the security teams that are often dedicated to large infrastructures and distributions. However, oCERT is dedicated to open source projects, and that includes very small ones.

The new organization made its debut at the recent CanSecWest security conference. Tavis Ormandy and Will Drewry from the Google Security Team, in addition to participants from Intel are part of oCERT's team.

Open BSD, Mandriva and other well-known players are already working with oCERT as members, and membership with the organization is required to participate. Note that to make use of oCERT's services, a project must have an active person functioning as a security contact. That's due to oCERT's intent to provide rapid security response to incidents, and the need to have someone involved with a project to work with.

You can report incidents at oCERT's site now, and access a free list of security resources. To join as a member, e-mail membership [at] ocert [dot] org.

Are oCERT's services free? It's a volunteer-based effort at this point, and many resources appear to be free, but it's worth keeping an eye on any costs that may be incurred going forward as you work with oCERT.

Do you think this kind of third-party security support and response effort is valuable for open sourcers?


Browse Blog

Comments

Add Comment

  1. By macojac on Apr. 04, 2008

    The more you can do beef up security, the better. The big benefit of Opensource is that there are 100s of eyes looking through the code, identifying bugs and fixing them. With more focus on security, this will only help.

    0 Votes
    Report this

  2. By Joe Mendis on Apr. 04, 2008

    This is a great idea. I am sure this would increase the adoption of more OSS in to main stream orgs.

    Are there other services similar to this, even paid services that specialize in OS security?

    0 Votes
    Report this
Share Your Comments

If you are a member, to have your comment attributed to you. If you are not yet a member, Join OStatic and help the Open Source community by sharing your thoughts, answering user questions and providing reviews and alternatives for projects.

Trackback URL
Please use the following URL to add a trackback to this article.
http://ostatic.com/trackback/158815