How the Linux Foundation’s Core Infrastructure Initiative (CII) Can Help Address Security Issues
Tuesday, June 21, 2016
How the Linux Foundation’s Core Infrastructure Initiative (CII) Can Help Address Security Issues in Software License Agreements
by Karen Copenhaver, Choate, Hall & Stewart LLP, Counsel to the Linux Foundation
In recent years parties to software license agreements have given increasingly greater attention to the software’s security capabilities, and that trend is expected to continue. Another trend in such transactions is the increasing extent to which the software is based on open source code. Accordingly, licensing professionals who work on software transactions on behalf of companies that vend or use open source software (which includes almost all companies), should be aware of the work of the Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively invest in core infrastructure and identify and fund critical open source projects in need of assistance to improve security. Established in 2014 in response to the Heartbleed vulnerability, more than 20 companies founded CII to fortify the security of key open source projects. The multi-million dollar project is supported by, among others, Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, Salesforce, and VMware. The White House also recently signaled its support and partnership with The Linux Foundation on this work by including it in its Cybersecurity National Action Plan. http://www.linuxfoundation.org/news-media/blogs/browse/2016/02/linux-foundation-s-core-infrastructure-initiative-working-white
The CII provides funding for key developers to work fulltime on open source projects that are critical to the global computing infrastructure and cybersecurity. CII also provides security audits and expertise, computing and test infrastructure, travel, face-to-face meeting coordination and other support. For the projects identified and supported by CII, all of which have been widely deployed across the ecosystem, many of them for decades, it will be increasingly important to identify every instance in use and to assure that updates are timely applied. Knowing the version of these critical components in use will become a fundamental part of any security program and diligence process.
CII accepts grant applications with priority given to underfunded open source projects that support the largest amount of infrastructure. A steering committee, which meets quarterly to review proposals, recently renewed annual grants for GnuPG, NTPd, OpenSSL, and OpenSSH to continue supporting developers and code audits. The impact of the initial grants was felt immediately, enabling these core projects to add team members, improve coding best practices, establish predictable release schedules and roadmaps, and perform audits to help future proof code.
The steering committee has also identified several other forward looking projects that will help to create a culture of secure coding practices. CII’s funds will support a new open source automated testing project, the Reproducible Builds initiative from Debian, that will be useful in confirming that the machines used to build binaries distributed to users have not been compromised by unknown attackers. IT security researcher Hanno Böck’s Fuzzing Project will also be advanced. This project makes a powerful testing technique available to identify security problems in software or computer systems. Many vulnerabilities in well-known software, including several GnuPG and OpenSSL bugs reported lately, were found by Böck's effort. A third initiative has been approved to support the work of Pascal Cuoq, chief scientist and co-founder of TrustInSoft, to build improved testing capabilities to identify security vulnerabilities that need to be fixed.
As these essential resources are tested, audited, updated and improved, new versions will provide to all users the benefits of these focused development programs. Continued use of outdated versions of these programs will quickly become commercially unreasonable.