The Linux Foundation today announced the first protocols that it wants to address as part of its open-source code testing and security review. Not surprisingly, OpenSSL, where the infamous Heartbleed bug was discovered, is among them.
Called the Core Infrastructure Initiative (CII), the effort was created by several of the large tech companies, including Amazon Web Services, Cisco, Dell, Facebook, Microsoft, and IBM, in the aftermath of last month’s Heartbleed crisis. Heartbleed was the serious vulnerability revealed last month in the OpenSSL encryption protocol and its widespread use in servers, client software and network and security products set off a global stampede to patch them and swap out digital certificates, in addition to changing passwords.denial-of-service attacks.
In addition to funding a code audit of the OpenSSL protocol, CII today also said it’s directing its security review efforts to two other widely-used protocols: OpenSSH and Network Time Protocol (NTP). NTP has recently gained attention as a source of concern because it has been abused to generate
The CII group isn’t specifying how much funding is being dedicated to these security reviews, but does say the entire CII effort has raised over $5 million from its founding members.
The CII intends to coordinate with the OpenSSL project to assist with two full-time core developers. The Open Crypto Audit Project is also expected to receive funding from CII to conduct a security audit of the OpenSSL code base.
CII today also announced Adobe, Bloomberg, HP, Huawei and Salesforce.com as additional members. CII also says it’s established an advisory board and steering committee to identify open-source projects “most in need of support.”
CII’s Advisory Board members include Linux kernel developer Alan Cox; Matt Green of Open Crypto Audit Project; Dan Meredith of the Radio Free Asia’s Open Technology Fund; Eben Moglen of Software Freedom Law Center; Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School; Eric Sears of the MacArthur Foundation; and Ted T’so, a file-system developer at Google and the Linux kernel community.
Jim Zemlin, executive director of The Linux Foundation, said, “All software development requires software and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastrcture.” He added the aim of CII is to “move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need,” adding CII is a forum to be able to do that.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org