DHS, Georgia Tech seek to improve security with open-source tools

Group will be a one-stop shop for open-source software

The Georgia Tech Research Institute has been designated the lead organization in a government project to develop open-source cybersecurity capabilities.

Funded with $10 million by the Homeland Security Department’s Science and Technology Directorate, the Homeland Open Security Technology (HOST) program is a five-year project to study and identify viable and sustainable open-source cybersecurity methods, models and technologies.

One of HOST’s key goals is to develop a portal for open-source security tools and applications that can be searched and accessed by federal, state and government personnel, said Joshua Davis, associate division head at GTRI’s Cyber Technology and Information Laboratory, and the program’s principal investigator. The portal is scheduled to be fully operational in July, but he said that there are already 150 items in the inventory.

Although parts of the government, such as the Defense Department, have embraced open-source software for a variety of applications, many agencies still view it as suspect. As a resource, Davis hopes HOST will help to dispel the “hippie in the basement” view of open-source programs — that it's cobbled together by enthusiasts rather than teams of professional programmers.

The advantage of open-source software is that users can vet the source code themselves to make an application more secure. “Having something in a cellophane wrapped box doesn’t make it safer,” he said.

The portal will lead users to a variety of vetted open-source security tools. Its purpose is to help government staffers to make informed decisions about selecting and using the tools. The software accessible through the portal will also have records of its use and accreditation by other agencies.

“We’re helping the DHS [and other federal agencies] become aware of what is out there and what to invest in,” Davis said.

Besides the portal, HOST is working to identify new open-source security tools and applications. For example, DHS is studying the use of open-source Secure Sockets Layer software. The program is working to provide open-source SSL tools with a Federal Information Processing Standards validation, which would allow federal personnel to use it in their networks.

HOST officials also want to help organizations using open-source programs by developing additional methods and tools to share the data they collect. For example, the FBI uses Wireshark, an open-source packet analyzer, to monitor network traffic in criminal investigations. However, there is a need to develop tools to more effectively present Wireshark data in court to support cases, he said.

The program is also reaching out to other federal agencies through a strategic council of open-source users. The group will host roundtable events to share information and promote the use of open-source security technologies. Through HOST, DHS wants to be seen as the go-to place for open-source software in the federal government, Davis said.

In HOST, GTRI is working with the Open Technology Research Consortium, a collaborative network of academic research institutions, industry partners and open-source groups. OTRC members participating in HOST include GTRI, the University of Texas at Austin, the Open Information Security Foundation and the Open Source Software Institute.


Reader Comments

Tue, Jul 5, 2011 Earth

Davis hopes HOST will help to dispel the “hippie in the basement” view of open-source programs — that it's cobbled together by enthusiasts rather than teams of professional programmers. ROTFL We have for example Exhibit A the Microsoft operating systems, presumably created by “professional programmers”, that has enabled a whole new industry of organized crime. Vs. Exhibit B the linux operating system cobbled together by enthusiasts that was chosen by the NSA to harden and release as open source for anyone who wants a truly secure system. You have to worry about those “hippie in the basement” folks at the NSA producing slapdash code riddled with security holes. The point here is that if the government wants truly secure software it needs to embrace and extend open source. Embrace to be able to examine the code to find vulnerabilities and extend it to provide secure capabilities. When you start to think of information processing as an infrastructure like roads and money then you better understand the concepts of “promote the general welfare and provide for the common defense.”

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above