The European Commission is about to start security audits of open source software it is using. Actual review is planned for next summer. The coming months teams will work on an inventory of projects at the European Parliament and Commission, and compare the security practices with those in the open source communities.
The ‘EU-Free and Open Source Software Auditing’ (EU-Fossa) project has a EUR 1 million budget, earmarked by the European Parliament in December last year. The so-called EP Pilot Project was part of the Parliament’s acceptance of the Commission’s 2015 budget.
“The outcome of the project is a process that will allow us and the open source communities to assess the security level of free and open software”, says Marek Przybyszewski, Information Systems Architect working for the European Commission’s Directorate-General for Informatics (DIGIT), who presented the EU-Fossa project at the Opensourcesummit in Paris. DIGIT has held interviews with stakeholders inside the Commission and with representatives of free software development and advocacy groups. The project will involve software development groups such as Debian and Drupal.
DIGIT wants the project to involve the Commission in fixing bugs in open source components. One possible project outcome could be that the EC regularly inspects widely-used open source software. DIGIT has made contribution to open source software development projects one of the priorities of its open source strategy.
News and reports from the project will be made available on the EU-Fossa community, which will soon be unveiled on the Commission’s Joinup platform.
Last week, the Dutch parliament approved a EUR 0.5 million budget to develop and improve existing open source encryption solutions such as OpenSSL, LibreSSL or PolarSSL (renamed Mbed TLS).
In 2014, the Linux Foundation began the Core Infrastructure Initiative to fund and support critical elements of the global information infrastructure. The project is financially supported by 19 major ICT companies and financial news services company Bloomberg. The first projects to receive funds from the CII were OpenSSL and Bash.