Does Open Source Need a Red Team? 49
"The Team could also provide a set of recommended processes and tools for O.S. projects to follow prior to submission to the Red Team test queue. This by itself would be a valuable tool.
Such teams are sometimes used by companies to test the security of their networks and software. The O.S. community have done an excellent job so far, but as open source is used more and more by the mainstream computer users, vetting by a 3rd party would help make many organizations more likely to accept a piece of O.S. software.
The Team would, like any open source project, be comprised of both experts and newbies. The newbies would have the opportunity of doing real testing under the guidance of folks who know more, thereby becoming more expert themselves. The experts would provide a centralized open-source-oriented set of recommendations and specialized review as needed.
Either the Red Team or its members could also provide paid services for commercial software, and could participate with university CS departments in training students, providing the opportunity for valuable cross-training between schools. It might even be possible to arrange course credit for work on the Team.
Many Open Source projects could benefit from such a 3rd party group to recommend development procedures, code styles, and actual testing to teach and motivate better security practices in code design. The plain fact is that many (most?) of us developers are not completely 'up' on the issue of security - it's a very dynamic area of specialization. This initiative could be another resource that will be useful in establishing OS in the mainstream."
Funding? Needed at All? (Score:5, Insightful)
And of course, the benefit of open source is that all sorts of motivated, talented people from all over the world pitch in to do a similar analysis for free, and without a formal "red team." This breaks down quite a bit with the volume of Free Software being produced nowadays, however. But the important pieces of infrastructure (Apache, e.g.) DO get the scrutiny their importance demands. Not to mention pounding by black hats.
Someone mentioned OpenBSD [openbsd.org]. But even they don't audit everything. They confine their attention to the core of the OS. That's quite a lot of software, but the ports tree is quite a bit more. The ports get somewhat more attention than they would simply because you've got a large set of security conscious users.
Maybe you should try asking the OSDL (Score:4, Insightful)
I recall they are an organization sponsored by big names in the IT industry, that could possibly emplore such an idea. Their idea is to proviude enterprise class testing to help advance the linux community. I don't see why this couldn't be an extension of it.
I'm sure a nicely worded, thought out paper explaining the benefits would at least get a response, and possibly spike some interest.
Re:Funding? Needed at All? (Score:2, Insightful)
The paper by _iris (92554) [slashdot.org] suggested previously that this function might be part of an insurance package. Business insurers often require IT emergency plans, risk analysis and 3rd party network security audits, and might reasonably require a company moving to open source software (read, "unknown vendor") to have the software reviewed. This is exactly where the idea of a group specializing in OS software would fit and quite possibly make money.
As for "all sorts of motivated, talented people", I think you're making my point. The "Red Team" project could provide a focus for those folks to achieve some synergy - I'm not involved in that area much but I suspect that a lot of those folks are feeling 'behind the curve' lately. It's amazing how well the community has done. A project that focusses that effort could greatly improve the availability of the 'right' information and fast access to folks who have the experience.
I do disagree with your thought that the "important pieces" get scrutinized, if you mean to say that's sufficient. The problem is that, using Apache for example, Apache itself can be bulletproof but many scripting projects using modperl, PHP, JSP, etc. are not. The result is a server that is nearly as vulnerable as if Apache itself had a vulnerability.
Apache scripting is what triggered my thought on this topic. A large number of scripting vulnerabilities have been reported lately. I can't guarantee that the scripts I've written have been bulletproof. I'd like to have a resource that, perhaps with some configuration by me, could run through a set of tests of my scripts. This couldn't guarantee anything but it could help developers.