How Mozilla's Secure Open Source Fund Acts As Best Of The Security Testing Tools To Strengthen Open Source Security


Table of Contents

We all know Mozilla by its great work in the software development. Some of the great applications we use daily are actually built by Mozilla. It includes Firefox, the most common web browser and email client Thunderbird. Mozilla has taken a step further to act as best of the security testing tools to strengthen open source security through fund called “Secure Open Source” a.k.a SOS.

What Is Secure Open Source “SOS” Fund? Why The Need Of Open Source Security?

Recently there have been some serious vulnerabilities in some widely used open source projects. After that, there have been many additional steps taken for avoiding such vulnerabilities and enhancing open source security. Mozilla’s Secure Open Source fund acts like security testing tools for open source projects who want to undergo the audits.

Mozilla’s SOS fund supports security audits of open source software projects. Should’nt it be called an Open Source vulnerability scanner? Ya! Also, it’s free once the application of the candidate project is approved. It surely enhances the open source security.

open source security

We’ve already seen some widely spread vulnerabilities recently that dropped a mark on open source projects but thanks to a massive number of people who quickly solved the issue as always. Through the SOS, the selected open source projects will be audited and will be looked for vulnerabilities. If there is any vulnerability found, it will be fixed.

open source vulnerability scanner

Is It One Of Many Security Testing Tools?

Surely it’s not. But it acts like so. There is an entire procedure of undergoing the audit of an open source project. There are certain terms or selection criteria that a candidate project should fill to undergo the audit. When I say security testing tools it does not mean that you upload your code and Mozilla scans it immediately and provide you the summary of the results.

Mozilla Secure Open Source “SOS” Fund’s Selection Criteria

mozilla approved open source security audit

As mentioned above that there is a selection criterion for a candidate project to pass before the audit. Obviously, the code has to be open source plus the factors like below are considered –

  • How commonly used is the software?
  • Is the software network-facing or does it regularly process untrusted data?
  • How vital is the software to the continued functioning of the Internet or the Web?
  • Does the software depend on closed-source code, e.g. in a web service?
  • Are the software’s maintainers aware of and supportive of the application for support from the SOS fund?
  • Has the software been audited before? If so, when and how extensively? Was the audit made public? If so, where?
  • Does the software have existing corporate backing or involvement?

So Mozilla will analyze the project based on factors like mentioned above to enhance open source project security.

How To Apply For This Open Source Security Audit?

When software company like Mozilla is giving such an important opportunity to enhance the open source security, there has to be a quick way to apply for.

Here is a link to the application form that you can fill in and submit to become a candidate.

Open Source Projects That Have Undergone This Open Source Security Audit

open source vulnerability scanner

There have already some projects applied, passed and undergone the audit. These are three popular projects namely, PCRE, libjpeg-turbo, and phpMyAdmin.

PCRE (Perl-Compatible Regular Expressions) is a C library for implementing regular expressions in a codebase.

libjpeg-turbo is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG.

phpMyAdmin is a web-based administration tool for MySQL databases.

The audit found total of 43 vulnerabilities in these three projects including 1 Critical, 1 High, 10 Medium, 27 Low and 4 Informational level vulnerabilities.

Image Courtesy – Image 2