Informatics
Informatics newsroom

DIGIT to assess the security of the open source software 

DIGIT will perform a security audit of the free and open source solutions used by the European Parliament and the European Commission. 

The Free and Open Source Software Auditing (FOSSA) is a pilot project financed by the European Parliament and implemented by DIGIT. It was proposed in 2014, after the discovery of a software bug, which shocked the entire IT community. The bug was nick-named "Heartbleed" and affected a very widely used open source security library, OpenSSL. It is estimated that the Heartbleed bug has already cost $500 million and many businesses still cannot be completely sure that their systems have not been compromised due to this vulnerability. Even though the library's source code has been available for everybody interested, nobody performed a full vulnerability scan before the 'Heartbleed' bug.

To address this at the European level, Max Andersson and Julia Reda, two Members of the European Parliament of the Greens/European Free Alliance group initiated a pilot project to make a sample code review and demonstrate that support to open source software can be implemented by the European institutions. The two MEPs explain that this project should increase trust in these open source solutions: “Vulnerabilities in critical information infrastructure have drawn the public's attention to the need to understand how governance and quality of the underlying software code relates to basic safety and public trust in applications.”

The European Parliament allocated EUR 1 million to pilot this project. If successful, the project could turn into a permanent programme to support the open source communities.

The FOSSA pilot will be completed by the end of 2016. Its scope has been limited to the European Commission and the European Parliament. In case of continuation, the other institutions will be involved as well.

DIGIT is working in close collaboration with a similar initiative (Core Infrastructure Initiative) done by The Linux Foundation.