Open Source Tools to Get Brussels Security Audit

Open Source Tools to Get Brussels Security Audit

Apache HTTP Server and password manager Keepass are to receive a code audit from the European Commission (EC) after a public vote.

The open source tools were by far the most popular – chosen from a lengthy list of similar open source software platforms including FireFox, Drupal and OpenSSL which are in use at the EC and the European Parliament (EP).

In the coming weeks the audits will look to uncover any security issues in the code and share the findings with software developers.

They represent the next phase in a pilot project between the IT departments of the Commission and the Parliament.

EU-FOSSA is a new initiative designed to improve the security of free software used by the two institutions.

It's set to end in December, when the EC and EP will look to secure additional funding.

"We received 3282 answers, including many interesting and encouraging comments", said Pierre Damas at the European Commission’s Directorate General for IT (DIGIT). “The number of responses are a clear indication of the appreciation for the EU-Fossa project.”

However, others in the community expressed concerns about the project.

Free Software Foundation Europe vice-president, Matthias Kirschner, argued that if it continues down the current road most of the €1 million will be spent without any positive outcomes.

“The result will be a set of consultancy reports nobody will ever read,” he added.

The project is being managed by people who don’t have enough knowledge of open source, contains factual errors and has been hampered by a lack of communication on the part of those running the show, he claimed.

An initial 550-page report was published recently on the progress of the project.

“In our comments from 8 July 2015 we recommended them to ‘Release Early, Release Often: Do not produce a huge report and publish this at the end of the project. Publish ideas, criteria, results, and next steps as soon as possible. Thereby you enable others to give you feedback’,” continued Kirschner.

“Publishing 550 pages after almost a year of silence does not allow you to comment on misunderstandings and systematic errors they made early in the project.”

Source: Information Security Magazine