EFF Launches Open Source Code Security Program to Improve User Privacy
The Electronic Frontier Foundation (EFF) has launched a new security initiative aimed at identifying vulnerabilities in open source code. The move is another sign of the open source world's increasing interest in leveraging the the community to shore up software security in the wake of embarrassments like Heartbleed.
The Electronic Frontier Foundation (EFF) has launched a new security initiative aimed at identifying vulnerabilities in open source code. The move is another sign of the open source world’s increasing interest in leveraging the the community to shore up software security in the wake of embarrassments like Heartbleed, the bug found in the popular OpenSSL cryptographic software library that led to so much trouble last year.
The EFF announced the initiative, called the Security Vulnerability Disclosure Program, on Dec. 3. The organization, which advocates for online freedom and openness, describes the program as “a set of guidelines on how to report bugs in software EFF develops,” as well as in third-party software that the EFF uses.
The EFF maintains several security tools that are popular among users interested in protecting their privacy, such as HTTPS Everywhere, a browser extension that provides SSL encryption for all Web traffic.
Of course, when tools that are designed to protect users’ privacy and security turn out to have flaws that help attackers who want to steal private data, they tend to hinder more than help. They leave users with a false sense of security. That’s what happened when the Heartbleed bug exposed a flaw in SSL encryption software that was supposed to keep data private.
The EFF’s Security Vulnerability Disclosure Program is an effort to curtail these risks by encouraging members of the privacy and open source communities to inspect code, as well as particular software configurations, for vulnerabilities.
In this sense, the program falls in line behind similar initiatives introduced over the last couple of years. The Linux Foundation in April 2014 launched the Open Core Initiative to help fund attention to software security in open source projects. Last spring, the Foundation took similar steps by building up the Let’s Encrypt project for better browser security.
Meanwhile, Linus Torvalds has been vocal in recent months about approaching security in the open source Linux kernel project as something that will never be perfect but nonetheless still needs greater attention.
Taken together, the EFF’s program and these other initiatives help set the open source software world apart from its proprietary counterpart when it comes to security. Most companies that develop closed source software have done little publicly to make their code more secure or to allay privacy concerns in our era of constant data privacy breaches at big-name organizations. They also rely less on third parties in their quest to improve software security.
The open source approach to security has evolved in a different direction. Open source programmers are now willing—eager, even—to admit that their code inevitably has flaws. In fact, they are recognizing that it has so many flaws that they alone cannot identify and fix them all. So groups like the EFF are relying on the community at large to help secure their code.
About the Author
You May Also Like