Open security isn't just software, say government open source advocates
Open source advocates within government say the many eyeballs approach to creating software functionality can extend to improving system cybersecurity.
The Homeland Security Department has quietly for a few years now run a program dubbed Homeland Open Security Technology, adding money for development of an open source intrusion detection and prevention engine known as Suricata and funding FIPS 140-2 validation of an open source toolkit for implementation of SSL and TLS known as OpenSSL.
But, the idea of an open source approach to security tools isn't just for software, says David Wheeler, a military open source advocate at the Institute for Defense Analyses. In a white paper (.pdf), Wheeler says the concept of open source collaboration for improving security should assure the possibility of its extension to hardware and to documentation, the latter already being done under projects such as the OWASP Developer Guide.
"Open security is simply the application of OSS approaches to a particular type of problem," he writes.
Through the work of HOST and others, the term "open security" has gained increasing traction over the past few years, Wheeler said in an interview, but there's been uncertainty about what it exactly means. "Can this include hardware? The answer is yes. Could it include written documents? Yes," he said.
In fact, open security shouldn't just allow for extending open source collaboration in non-software spheres, but its application onto open source software itself, Wheeler added.
Security vulnerabilities within an open source software application are often corrected by its community of developers--open source software is commonly held to be as secure, or more secure, than proprietary code due to its crowdsourced development methodology.
But, security problems often arise in software interaction, or aren't obvious until developers step back from the project and examine it specifically with security in mind, Wheeler said.
"Instead of focusing on the functionality, why don't we focus on making things secure," he said. An open security effort would add security specialization eyeballs to open source projects.
Open security will require a website to serve as a collaboration hub, Wheeler acknowledged, stating that open-sec.org is a place where people outside of DHS could start doing so. Within DHS, HOST should release additional tools, including a catalog of open source software, especially ones that involve open security, Wheeler said.