Just like most European citizens, businesses and organisations, the EU is an avid user of Free and Open Source Software (FOSS). Software code published under an open source licence can be freely used, changed and distributed. That in contrast to proprietary software, which is closed and needs to be purchased for use.
The EU-FOSSA project
Given its popularity, it was inevitable that open source software too would become a target of cyber security attacks. In 2014, the Heartbleed bug, a vulnerability in OpenSSL caused extensive damage to web servers worldwide. Suddenly it was clear, the security of free and open source software needed to be addressed.
In 2015, the European Parliament secured an initial budget of €1M and the European Commission launched the EU-FOSSA pilot project. FOSSA, short for Free and Open Source Software Auditing, was a call to action to audit the security of the EU’s most critical open source software.
The pilot project created an inventory of open source software in use at the European Commission and defined a methodology to establish criticality. From the top 20 critical software, Apache HTTP Server and KeyPass (suggested by the public) were selected for a detailed security audit. In addition, a communications campaign raised awareness of cyber security all round.
Following the success of the EU-FOSSA pilot, in 2017 EU-FOSSA 2 was launched as a preparatory action, with an increased scope and budget of €2.6M.
The project extended to include open source software within other European institutions, and used innovative techniques such as Bug Bounties and Hackathons to find and fix key security vulnerabilities. In all, 15 bug bounties were launched and have proved highly successful and cost effective in identifying a wide range of security vulnerabilities. EU-FOSSA 2 is also organising three Hackathons, which bring together open source software practitioners from across the world to interact with colleagues from European institutions in Brussels, to improve the quality and security of their software.
EU-FOSSA 2 has commissioned studies on the best practices of open source in public administrations worldwide; issues relating to licencing and IT support and the roadblocks for greater use; and interacting with leaders from the open source community, to identify and implement solutions. An extensive communication campaign is helping to engage with open source developers, micro open source communities, and the EU public.
Initiatives such as EU-FOSSA are evidence of the European Commission’s commitment to the security and integrity of open source software, and the wider open source ecosystem.
To learn more about the EU-FOSSA 2 project visit joinup.