EU-Fossa project submits resu…

EU-Fossa project submits results of code audits

Published on: 23/10/2016

Tests did not reveal any critical vulnerabilities

The European Commission’s ‘EU Free and Open Source Software Auditing’ project (EU-Fossa) has sent its code review results to the developers of the Apache HTTP server target and KeePass. The audit results are not yet public, however, no critical vulnerabilities were found.

The EU-Fossa project will publish its review when it receives permission from the Apache and KeePass developers.

The EU-Fossa's Code Review Process

Over the past weeks, IT security experts contracted for the EU-Fossa project reviewed the software source code of two open source software applications, the Apache HTTP server and KeePass, a password manager. The reviews conclude that, regarding security, the code is of good quality. “Our tests did turn up a few issues, none of which are critical or high-risk”, says Marek Przybyszewski, Information Systems Architect at DIGIT, who is managing the EU-Fossa project.

The EU-Fossa code security tests are a EUR 1 million pilot project by the European Commission and the European Parliament. The project is creating a formal process to let the European institutions contribute results of future software security reviews back to the open source communities.

Bug bounty

The pilot, which will end in December, is making all of its results public. In addition to the two code security audits, this includes an inventory of the open source solutions used by the Commission, and studies into the security practices of 14 open source communities.

Next week, the European Parliament will vote on a EUR 2 million extension of the project. The proposal, submitted by MEPs Julia Reda, Max Andersson (both Greens/EFA), and Marietje Schaake (ALDE), will allow the EC and EP IT teams to continue their open source code reviews. The new project will also create an EC/EP bug bounty programme.

“Such approaches are very common and successful in the industry and would allow for a broader involvement of the security community in the common objective of ensuring a more secure IT infrastructure”, the three MEPs write in their proposal.