[Discuss] open RFP/business idea for open source security business

[bogstad at pobox.com (Bill Bogstad)]

I wrote the text below in response to a comment on Slashdot on how
open source doesn't help the non-programmer have more secure software.
I suggest a reason why that might not be the case theoretically and a
potential business
opportunity for someone who wants to make it a reality.  I'm posting it here
in the hopes that someone with the skills/initiative to make it happen
will take up this
idea.   I welcome discussion of potential problems with the idea.
Please feel free to forward
it on to other communities/individuals who might find it interesting
and might act on this idea.

Just so its clear, I don't have the combined skills/drive to want to
work on this.  I'm hoping
that someone else will take it up.  I would, of course, enjoy hearing
about any efforts
to make it happen.

Thanks,
Bill Bogstad
bogstad at pobox.com

===

If the US, Russian, Chinese, North Korean governments, and the EFF
were to all certify a particular piece of open source software, then I
would say that I am pretty safe in not having to analyze it myself.
Clearly this hasn't happened yet, but open source at least makes it
possible. It even makes it easy for outside experts (governmental or
otherwise) to do their analysis which means that I might be able to
pick and choose from a large set of outside experts that I trust. This
is because any private or governmental entity could trivially set
itself up to be such an expert. With efforts like Debian's
reproducible builds, I may not even have to compile it myself. I can
just verify the appropriate checksum(s)/signature(s) on the binaries
that I downloaded from some random web site.

I can even see this as a commercial service. The equivalent of the
current anti-virus industry (with yearly subscriptions) would probably
be viable. They could compete on how fast they analyze new releases
and how many bugs (security or otherwise) they find in the code. It
would probably be necessary to embargo their reports on new releases
for a short period to maintain an incentive for subscription and to
give time for the original developers to fix the problem, but much
like the anti-virus industry they would want to publicly release their
results as well for PR purposes. Any large entity that used open
source and didn't subscribe to some of these services would probably
be considered negligent by its customers and might even be considered
legally negligent as well. Obviously, not every piece of open source
software would be considered important enough to draw such scrutiny,
but I suspect that all of the major network facing open source
software (server or client) would be viable for such treatment.

The above seems so obvious to me in retrospect that I wonder why it
hasn't already happened. Perhaps there is a chicken and egg problem?
There would be a fairly large up front cost for the initial checking
of a major piece of software and no certainty that there would be a
sufficient level of subscriptions to justify this cost (or pay for the
lower costs of checking future releases). One solution might be to do
a kickstarter campaign. I would be happy to contribute a modest sum
($100) if someone with expertise was to agree to check all releases of
a major open source program for a year. It wouldn't even have to be a
program that I used for that first year as I would want to encourage
the creation of an industry of this type. Now you might argue that I
should just give my money to the actual developers of the program. The
problem with that is that I may be happy with the current feature set
of a program, but would like more emphasis on checking for security
problems (or QA in general). Nor would this allow me to select the
people doing the checking so they were less likely to be in a position
to be influenced by other organizations. If there are any security
experts reading this, please consider trying this out. Other then the
time to write up a proposal with your qualifications, it seems to me
like you would have little to lose.

[Oh, I would also support a similar campaign to write documentation
for a major open source software package (say Libreoffice) if there
are any documentation writers out there.]