What Is Secure Open Source “SOS” Fund? Why The Need Of Open Source Security?
Recently there have been some serious vulnerabilities in some widely used open source projects. After that, there have been many additional steps taken for avoiding such vulnerabilities and enhancing open source security. Mozilla’s Secure Open Source fund acts like security testing tools for open source projects who want to undergo the audits.
Mozilla’s SOS fund supports security audits of open source software projects. Should’nt it be called an Open Source vulnerability scanner? Ya! Also, it’s free once the application of the candidate project is approved. It surely enhances the open source security.
Is It One Of Many Security Testing Tools?
Mozilla Secure Open Source “SOS” Fund’s Selection Criteria
As mentioned above that there is a selection criterion for a candidate project to pass before the audit. Obviously, the code has to be open source plus the factors like below are considered –
- How commonly used is the software?
- Is the software network-facing or does it regularly process untrusted data?
- How vital is the software to the continued functioning of the Internet or the Web?
- Does the software depend on closed-source code, e.g. in a web service?
- Are the software’s maintainers aware of and supportive of the application for support from the SOS fund?
- Has the software been audited before? If so, when and how extensively? Was the audit made public? If so, where?
- Does the software have existing corporate backing or involvement?
So Mozilla will analyze the project based on factors like mentioned above to enhance open source project security.
How To Apply For This Open Source Security Audit?
When software company like Mozilla is giving such an important opportunity to enhance the open source security, there has to be a quick way to apply for.
Here is a link to the application form that you can fill in and submit to become a candidate.
Open Source Projects That Have Undergone This Open Source Security Audit
There have already some projects applied, passed and undergone the audit. These are three popular projects namely, PCRE, libjpeg-turbo, and phpMyAdmin.
PCRE (Perl-Compatible Regular Expressions) is a C library for implementing regular expressions in a codebase.
libjpeg-turbo is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG.
phpMyAdmin is a web-based administration tool for MySQL databases.
The audit found total of 43 vulnerabilities in these three projects including 1 Critical, 1 High, 10 Medium, 27 Low and 4 Informational level vulnerabilities.