Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
EU Government Open Source Security Apache

EU To Give Free Security Audits To Apache HTTP Server and Keepass (softpedia.com) 67

An anonymous reader writes: The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects. The two projects were selected following a public survey that included several open-source projects deemed important for both the EU agencies and the wide public.

The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament. This is only a test pilot program that's funded until the end of the year, but the EU said it would be looking for funding to continue it past its expiration date in December 2016.

This discussion has been archived. No new comments can be posted.

EU To Give Free Security Audits To Apache HTTP Server and Keepass

Comments Filter:
  • Nothing is free (Score:3, Insightful)

    by Anonymous Coward on Sunday July 24, 2016 @12:39PM (#52570819)

    EU to give taxpayer funded security audits.

    • by drnb ( 2434720 )

      EU to give taxpayer funded security audits.

      EU to expand its department/fiefdom.

      • Re:Nothing is free (Score:4, Insightful)

        by Anonymous Coward on Sunday July 24, 2016 @04:35PM (#52571727)

        The EU has to rely on Keepass and Apache for their IT infrastructure. They should be doing these audits anyway. The only news is that the EU taxpayers get back the results to the people paying for them whilst other governments give them for free them on to their corporate buddies to sell back to the taxpayers with margin.

        • Re:Nothing is free (Score:4, Insightful)

          by drnb ( 2434720 ) on Sunday July 24, 2016 @07:03PM (#52572235)

          The EU has to rely on Keepass and Apache for their IT infrastructure. They should be doing these audits anyway. The only news is that the EU taxpayers get back the results to the people paying for them whilst other governments give them for free them on to their corporate buddies to sell back to the taxpayers with margin.

          And if the EU simply funded EU University security researchers to do the audit that would not benefit EU citizens? Benefit EU citizens in more ways than simply having the audit performed? This is merely about growing staff and fiefdom, typical bureaucracy.

          • The EU is not performing the audit themselves, they are funding the audit performed by a reputable organisation. My bet is that FOX-IT will get the job.

    • by Anonymous Coward on Sunday July 24, 2016 @01:03PM (#52570921)

      I get free hourly security audits of my servers from the Chinese and Russian governments.

    • by Anonymous Coward

      Indeed. how day they do that. Next thing you are going to tell me is that [insert government entity] is going to give taxpayer funded graded and paved surfaces suitable for vehicular traffic. MADNESS!!!

    • by golodh ( 893453 )
      @Anonymous Coward

      EU to give taxpayer funded security audits.

      So?

      Sounds like money well spent to me.

    • by Maritz ( 1829006 )
      Pretty much every other governance out there uses taxpayer money to undermine private citizens' security, rather than bolster it.
  • I used to use Apache server years ago, now I prefer nginx. But what is this KeepAss thing?

  • by drnb ( 2434720 ) on Sunday July 24, 2016 @12:46PM (#52570845)

    The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament

    Damn, they are quite desperate to *seem* to be doing something useful. But yet again the bureaucrats think themselves the solution, to want to grow their departments and "fiefdoms", NOT! If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.

    • Public IT is definitely who should not be responsible for this kind of testing
      • by drnb ( 2434720 ) on Sunday July 24, 2016 @12:51PM (#52570869)

        Public IT is definitely who should not be responsible for this kind of testing

        Absolutely, private IT should do it, in particular Hillary's private IT. After all there is no evidence they were ever hacked. :-)

        • There are professional organizations that handle this kind of testing as their bread and butter. The IT depts of the Commission and Parliament are not ones that inspired much confidence in their ability to provide robust security audits.
          • The IT depts of the Commission and Parliament are not ones that inspired much confidence in their ability to provide robust security audits.

            It is not just about competence, but also conflict of interest. We need robust security to protect us from governments. It is foolish to trust those same governments to verify the security they are trying to circumvent.

            • Sure, it would be a problem if a condition of the auditing was that nobody else was allowed to audit the code. If memory serves, Apache does that open source thing. I also missed the part where the EU will be given permission to commit code without any review. I guarantee you that any incidents of polonium poisoning or multiple bullet wounds that occur among Apache project staff will not be due to natural causes.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Absolutely, private IT should do it, in particular Hillary's private IT. After all there is no evidence they were ever hacked.

          I hacked her server. I know, it's hard to believe, right?
          But here's the proof:

          I found an email that said, "I let Benghazi happen because I hated them. Let them die."
          Then another one, "Top security? I personally mail these things to Putin, I'm such an evil person."
          Then another one, "I love Bill."
          Then, "Hey Don, let's get this plan started. I can't lose with you running!" Not sure who Don is, probably Knuth. I heard he was a track star or something.

          There it is. I hacked Hillary's server and gave you t

      • Public IT is definitely who should not be responsible for this kind of testing

        Remember the debate after heart bleed... We were all asking ourselves how come nobody invested in security auditing for openssl.
        We all took this infrastructure project for given. For the public sector to invest in some open source infrastructure projects is not a bad idea.

        I'm not suggesting that the public sector review everything, but for the public sector to identify and invest in a few heavily re-used open source projects is not bad idea. It's like public sector investment in roads and other infrastru

    • by gweihir ( 88907 )

      I agree. While they might find something, they will not have the skills to come up with a good final verdict and recommendations. Really good IT Security people (needed for this) will not work for a government bureaucracy in the first place, far too boring.

      • by drnb ( 2434720 )
        I think if they find something it will be the low hanging fruit and provide a false sense of security.
      • Remember working for an EU institution is not just well paid but tax free as well, and sometimes even a diplomatic status. They might need to hire but they rarely have trouble getting talent.

        • by gweihir ( 88907 )

          In some spaces (and IT security is one of those), you need to offer more than good compensation and benefits to get and retain really good people. You need to offer interesting work and I seriously doubt they can do this.

    • Not necessarily, it depends on their goals.

      Looks like they want to keep a strong IT capable of doing effective security audits for them on demand, but the workload is not constant. Projects like this are a great idea. You do something "pro bono", actually useful for you and your society. At the same time you keep the team funded, ready for when you need them more. And, most importantly - you keep them busy doing their actual job, the best form of training there is.

      • by drnb ( 2434720 )

        Looks like they want to keep a strong IT capable of doing effective security audits for them on demand, but the workload is not constant.

        And University researchers are unavailable, unwilling to answer the occasional call?

        You do something "pro bono", actually useful for you and your society.

        Supporting your EU universities and sponsoring research for professors and students does not benefit society?

        At the same time you keep the team funded, ready for when you need them more.

        So the internal team is bloated and short on work, but the department/fiefdom must be preserved?

        And, most importantly - you keep them busy doing their actual job, the best form of training there is.

        What makes you think any of this is related to the IT staff's day-to-day work, is within the staff's field of expertise, etc? The person who connects the EUMP's printer to the wifi network may not be the best capable person

        • by drnb ( 2434720 )

          ... analyze malware ...

          "analyze malware and their software's vulnerability and exploitability to it" I should have written.

        • And University researchers are unavailable, unwilling to answer the occasional call?

          As someone who has worked for many, many years at a european university (part-time) I'm strongly sceptical about the ability of university staff to do this exact kind of work well. Not to mention the grad students, who will likely be assigned the actual work. Also, it hardly seems like something universities should really do.

          By the way, do you have any idea how long this "occasional" call would take? This is EU, with all the regulations. Weeks to prepare the call. At least a month for the call, preferably a

          • by drnb ( 2434720 )

            As someone who has worked for many, many years at a european university (part-time) I'm strongly sceptical about the ability of university staff to do this exact kind of work well. Not to mention the grad students, who will likely be assigned the actual work. Also, it hardly seems like something universities should really do.

            The TrueCrypt audit suggests otherwise, portions were done by professors and grad students. And my experience in grad school long ago suggest otherwise as well. You do realize the occasional grad student actually has an interest in how things work, in poking and proving a system, considers computer security a good area to do their research in? Some of us actually even had some experience beyond homework assignments.

            Some jobs have variable workloads, deal with it. And I would be careful with the word "bloat" not knowing how large the team is. For example, having two or three analysts in an organization of this size is hardly bloat.

            If they have a security team of such a size I doubt their normal work has any massive downtim

    • by GuB-42 ( 2483988 )

      If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.

      And why do you think it is better? You don't think the assigned IT department employees are competent?
      Universities may not be better at this job. It is not research, it is an audit. An audit is a tedious process where you check that the security best practices are followed, that the code follows some standards, that only safe crypto is used, etc... The goal is not to find new ways to attack the code, rather it is to make sure that the code isn't vulnerable to existing attacks.

      A university can tell you that

      • by drnb ( 2434720 )

        If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.

        And why do you think it is better? You don't think the assigned IT department employees are competent? Universities may not be better at this job. It is not research, it is an audit. An audit is a tedious process where you check that the security best practices are followed, that the code follows some standards, that only safe crypto is used, etc

        Do you know what research is? It is often a tedious process of going through lots of information to check all the details and to spot errors/inconsistencies/surprises.

        The goal is not to find new ways to attack the code, rather it is to make sure that the code isn't vulnerable to existing attacks. A university can tell you that the lock you are using and that everyone thought was unbreakable may be cracked in 2 years. An auditor will tell you that the window is opened.

        Speaking as someone who did security research while at the University, you are ill-informed.

  • Quit the bashing (Score:5, Interesting)

    by lbalbalba ( 526209 ) on Sunday July 24, 2016 @01:02PM (#52570917)
    Hey, I'm an European, and I welcome this. Apache is widely used, and it's security is for the common good. At the very least, this is a step in the right direction. The only downside I can think of, is that Apache is already heavily scrutinized by both static analyzers and 'real human being' audits, so it this particular choice may be of limited use. Still, a mayor step forward in my opinion.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I'm an American, and I too think this is fantastic. OpenSSL has shown us that lax security in open source projects can have widespread disastrous consequences. I also use and love KeePass. Bring on the audits!

    • That should make their job easier. Having a list of known vulnerabilities is a decent start. Hopefully their not just going to run Retina, print out a report, and call it done.
  • by Anonymous Coward

    It has been contracted out to a consultancy (who might sub-contract?), as the Pirate Party MEP who started this project reports: https://juliareda.eu/2016/07/eu-audits-keepass-apache/

  • I use KeePassX, but there's also KeePass 2 and some other forks. Which one exactly will be audited?
    • by Anonymous Coward

      The one at keepass.info [keepass.info].
      If the forks haven't made any major refactoring they should still benefit a lot from this since they can do the diff from the audited version and see if any of the problems found still is present in their code.
      Sure, they can have added new ones, but that is one of the costs of making a fork.

      Personally I don't like the idea of electronic password managers since I feel that too much damage would be done is the manager is compromised.
      I feel that a note next to the computer with a few hi

Your own mileage may vary.

Working...