US $1.24m grant for Open Source security

The U.S. Department of Homeland Security (DHS) has awarded a US$1.24 million three-year grant to Stanford University and software vendors Coverity Inc. and Symantec Corp. The grant will fund daily security audits and analysis of more than 40 open-source projects including Apache, Linux, Mozilla, MySQL and PostgreSQL.

Known as the Vulnerability, Discovery and Remediation Open Source Hardening Project, the grant forms part of a broad initiative by the DHS Science and Technology Directorate to encourage the development and deployment of technologies to protect the country’s key computer systems networks, including the Internet, according to Coverity executives. The awarding of the grant was announced Wednesday.

Under the terms of the grant, Stanford will receive a total of $841,276 in funding over the three-year period, Coverity $297,000 and Symantec $100,000. Source-code analysis startup Coverity will receive the bulk of its funding, $237,000, in the first year of the grant, with the remainder of the money, $60,000, to be paid out equally over the two following years, according to Rob Rachwald, senior director of product and corporate marketing with Coverity.

Coverity will use the money to extend its Prevent software so it can analyze the source code of a wider variety of open-source projects for software defects and security vulnerabilities.

“We’ll develop the [Prevent] tool so we’re able to understand what the government needs in terms of defect detection, software reliability and software security,” Rachwald said Wednesday.

Coverity’s Prevent will carry out automatic daily security audits of the open-source projects and post the defects it finds in a public online bug database, according to Rachwald. Stanford will contribute staff to provide recommendations for developing secure open-source software in future.

Among those contributing will be Dawson Engler, an associate professor of computer science at Stanford and a co-founder of Coverity, Rachwald said. Symantec will draw on its expertise in security software to suggest both best security practices for the U.S. government to adopt and how to deploy software in a secure fashion so as to lower the incidence of any attacks, he added.

Coverity plans to have the daily audits for an initial 40 open-source projects up and running by March, according to Rachwald. However, he expects more open-source projects to be added over time in response to requests by the DHS. Coverity is still determining exactly how it will present the bug database online. The company may use the same method it does with Linux with its Web site, which developers have to log into or else make the audits available via Stanford’s Web site, he said.

“This is part of a trend where government is adopting a lot of the technology software companies already have,” Rachwald said, pointing to the likes of McAfee Inc., Sun Microsystems Inc. and Symantec, which already use Coverity’s Prevent technology.

The DHS did not immediately return calls for comment.

This is Coverity’s first DHS grant, according to Rachwald. The company applied for the grant in December 2004.

Coverity’s technology originated in Stanford’s computer systems laboratory. The company, which has its headquarters in San Francisco, was founded in 2002.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now