Threat assessment model: Testing open source software for security

To mitigate the risks of using open source software, Yoav Aner and Carlos Cid propose a new threat modelling method for testing the security of open source software.

The IT world tends to divide into two camps when it comes to open source software. One camp argues that it is foolish to rely on code developed by a community that cannot be held to account if anything goes wrong; these are the ones who insist on buying commercial software from a vendor they can identify.

The other camp argues that a global community is more likely to spot vulnerabilities than a single vendor's development team, and would, therefore, be able to respond more quickly when errors occur. The fact that open source software is frequently free or low cost is also a powerful attraction.

In their article, Open Source Security Assessment, Yoav Aner and Carlos Cid argue that there is a way to measure the risks associated with open source software, and, in many cases, to mitigate or eliminate those risks.

They propose a framework that would allow organisations to model the associated threats and also identify vulnerabilities in the code. This is done with a threat assessment model that is more often used in the design and development phases of applications, rather than to analyse existing applications. However, they demonstrate that the threat modelling approach, with slight modifications, can aid in the identification of security vulnerabilities for existing applications or systems.

The methodology and processes covered in the article aim to give some direction when it comes to testing open source software for security, allowing organisations to test in a more comprehensive and focused manner.

About the authors:
Yoav Aner is an information security specialist with 16 years experience. His areas of expertise include security architecture, design and evaluation, with a particular focus on application security and practical usage of cryptography. He has worked both domestically and internationally in the telecom, finance and IT industries.

Carlos Cid joined the Information Security Group at Royal Holloway in October 2003 as a postdoctoral research assistant to work on the EPSRC-funded project "Security Analysis of the Advanced Encryption Standard (AES)." He is currently a RCUK Academic Fellow. Carlos has a broad interest in the area of information security, in particular cryptography.

The article is based on a thesis written in the Information Security Group at Royal Holloway University of London.It is one of nine that is publishing exclusively in 2010 as part of its close collaboration with RHUL, which is in its third year.

Read more on IT risk management