EU To Give Free Security Audits To Apache HTTP Server and Keepass

An anonymous reader writes: The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects. The two projects were selected following a public survey that included several open-source projects deemed important for both the EU agencies and the wide public.

The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament. This is only a test pilot program that's funded until the end of the year, but the EU said it would be looking for funding to continue it past its expiration date in December 2016.

Nothing is free

[Anonymous Coward]

EU to give taxpayer funded security audits.

Re:

[drnb]

EU to give taxpayer funded security audits.

EU to expand its department/fiefdom.

Re:Nothing is free

[Anonymous Coward]

The EU has to rely on Keepass and Apache for their IT infrastructure. They should be doing these audits anyway. The only news is that the EU taxpayers get back the results to the people paying for them whilst other governments give them for free them on to their corporate buddies to sell back to the taxpayers with margin.

Re:Nothing is free

[drnb]

The EU has to rely on Keepass and Apache for their IT infrastructure. They should be doing these audits anyway. The only news is that the EU taxpayers get back the results to the people paying for them whilst other governments give them for free them on to their corporate buddies to sell back to the taxpayers with margin.

And if the EU simply funded EU University security researchers to do the audit that would not benefit EU citizens? Benefit EU citizens in more ways than simply having the audit performed? This is merely about growing staff and fiefdom, typical bureaucracy.

Re:

[Morris von Habsburg]

The EU is not performing the audit themselves, they are funding the audit performed by a reputable organisation. My bet is that FOX-IT will get the job.

Re:Nothing is free

[Anonymous Coward]

I get free hourly security audits of my servers from the Chinese and Russian governments.

Re:

[Anonymous Coward]

Indeed. how day they do that. Next thing you are going to tell me is that [insert government entity] is going to give taxpayer funded graded and paved surfaces suitable for vehicular traffic. MADNESS!!!

Re:

[golodh]

@Anonymous Coward

EU to give taxpayer funded security audits.

So?

Sounds like money well spent to me.

Re:

[Maritz]

Pretty much every other governance out there uses taxpayer money to undermine private citizens' security, rather than bolster it.

KeepAss?

[roman_mir]

I used to use Apache server years ago, now I prefer nginx. But what is this KeepAss thing?

Re:

[aliquis]

A open-source password manager (and generator I believe?)
http://keepass.info/ [keepass.info]

For lots of OSes: http://keepass.info/download.h... [keepass.info]
With lots of plugins: http://keepass.info/plugins.ht... [keepass.info]

Re:

[AutodidactLabrat]

Except I am actually running the Mono version on my two Linux boxes and it works fine, cross-syncs with my Windows machines and keeps on trucking.
Are you sure you've tried it?

Re:

[grim4593]

I agree. It works well in Linux, Windows, and there is even an Android app that is compatible.

Re:

[piojo]

It's not cross platform in any meaningful way.

If you're on Android, Keepass2Android is fantastic. More secure and a better UI than the other Keepass app I tried.

Re:

[dgatwood]

That's what I was wondering. It sounds like BitLocker for porn—a special app that lets you use a gesture and a password to decrypt hidden layers in your filesystem with all the stuff you don't want your significant other to see....

IT of Commission and Parliament, not University?

[drnb]

The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament

Damn, they are quite desperate to *seem* to be doing something useful. But yet again the bureaucrats think themselves the solution, to want to grow their departments and "fiefdoms", NOT! If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.

Re:

[bhcompy]

Public IT is definitely who should not be responsible for this kind of testing

Re:IT of Commission and Parliament, not University

[drnb]

Public IT is definitely who should not be responsible for this kind of testing

Absolutely, private IT should do it, in particular Hillary's private IT. After all there is no evidence they were ever hacked. :-)

Re:

[bhcompy]

There are professional organizations that handle this kind of testing as their bread and butter. The IT depts of the Commission and Parliament are not ones that inspired much confidence in their ability to provide robust security audits.

Re:

[ShanghaiBill]

The IT depts of the Commission and Parliament are not ones that inspired much confidence in their ability to provide robust security audits.

It is not just about competence, but also conflict of interest. We need robust security to protect us from governments. It is foolish to trust those same governments to verify the security they are trying to circumvent.

Re: IT of Commission and Parliament, not Universit

[Anonymous Coward]

Sure, it would be a problem if a condition of the auditing was that nobody else was allowed to audit the code. If memory serves, Apache does that open source thing. I also missed the part where the EU will be given permission to commit code without any review. I guarantee you that any incidents of polonium poisoning or multiple bullet wounds that occur among Apache project staff will not be due to natural causes.

Re:

[Anonymous Coward]

Absolutely, private IT should do it, in particular Hillary's private IT. After all there is no evidence they were ever hacked.

I hacked her server. I know, it's hard to believe, right?
But here's the proof:

I found an email that said, "I let Benghazi happen because I hated them. Let them die."
Then another one, "Top security? I personally mail these things to Putin, I'm such an evil person."
Then another one, "I love Bill."
Then, "Hey Don, let's get this plan started. I can't lose with you running!" Not sure who Don is, probably Knuth. I heard he was a track star or something.

There it is. I hacked Hillary's server and gave you t

Why not...

[jopsen]

Public IT is definitely who should not be responsible for this kind of testing

Remember the debate after heart bleed... We were all asking ourselves how come nobody invested in security auditing for openssl.
We all took this infrastructure project for given. For the public sector to invest in some open source infrastructure projects is not a bad idea.

I'm not suggesting that the public sector review everything, but for the public sector to identify and invest in a few heavily re-used open source projects is not bad idea. It's like public sector investment in roads and other infrastru

Re:

[gweihir]

I agree. While they might find something, they will not have the skills to come up with a good final verdict and recommendations. Really good IT Security people (needed for this) will not work for a government bureaucracy in the first place, far too boring.

Re:

[drnb]

I think if they find something it will be the low hanging fruit and provide a false sense of security.

Re: IT of Commission and Parliament, not Universit

[Carewolf]

Remember working for an EU institution is not just well paid but tax free as well, and sometimes even a diplomatic status. They might need to hire but they rarely have trouble getting talent.

Re:

[gweihir]

In some spaces (and IT security is one of those), you need to offer more than good compensation and benefits to get and retain really good people. You need to offer interesting work and I seriously doubt they can do this.

Re:

[akozakie]

Not necessarily, it depends on their goals.

Looks like they want to keep a strong IT capable of doing effective security audits for them on demand, but the workload is not constant. Projects like this are a great idea. You do something "pro bono", actually useful for you and your society. At the same time you keep the team funded, ready for when you need them more. And, most importantly - you keep them busy doing their actual job, the best form of training there is.

Re:

[drnb]

Looks like they want to keep a strong IT capable of doing effective security audits for them on demand, but the workload is not constant.

And University researchers are unavailable, unwilling to answer the occasional call?

You do something "pro bono", actually useful for you and your society.

Supporting your EU universities and sponsoring research for professors and students does not benefit society?

At the same time you keep the team funded, ready for when you need them more.

So the internal team is bloated and short on work, but the department/fiefdom must be preserved?

And, most importantly - you keep them busy doing their actual job, the best form of training there is.

What makes you think any of this is related to the IT staff's day-to-day work, is within the staff's field of expertise, etc? The person who connects the EUMP's printer to the wifi network may not be the best capable person

Re:

[drnb]

... analyze malware ...

"analyze malware and their software's vulnerability and exploitability to it" I should have written.

Re:

[akozakie]

And University researchers are unavailable, unwilling to answer the occasional call?

As someone who has worked for many, many years at a european university (part-time) I'm strongly sceptical about the ability of university staff to do this exact kind of work well. Not to mention the grad students, who will likely be assigned the actual work. Also, it hardly seems like something universities should really do.

By the way, do you have any idea how long this "occasional" call would take? This is EU, with all the regulations. Weeks to prepare the call. At least a month for the call, preferably a

Re:

[drnb]

As someone who has worked for many, many years at a european university (part-time) I'm strongly sceptical about the ability of university staff to do this exact kind of work well. Not to mention the grad students, who will likely be assigned the actual work. Also, it hardly seems like something universities should really do.

The TrueCrypt audit suggests otherwise, portions were done by professors and grad students. And my experience in grad school long ago suggest otherwise as well. You do realize the occasional grad student actually has an interest in how things work, in poking and proving a system, considers computer security a good area to do their research in? Some of us actually even had some experience beyond homework assignments.

Some jobs have variable workloads, deal with it. And I would be careful with the word "bloat" not knowing how large the team is. For example, having two or three analysts in an organization of this size is hardly bloat.

If they have a security team of such a size I doubt their normal work has any massive downtim

Re:

[GuB-42]

If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.

And why do you think it is better? You don't think the assigned IT department employees are competent?
Universities may not be better at this job. It is not research, it is an audit. An audit is a tedious process where you check that the security best practices are followed, that the code follows some standards, that only safe crypto is used, etc... The goal is not to find new ways to attack the code, rather it is to make sure that the code isn't vulnerable to existing attacks.

A university can tell you that

Re:

[drnb]

If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.

And why do you think it is better? You don't think the assigned IT department employees are competent? Universities may not be better at this job. It is not research, it is an audit. An audit is a tedious process where you check that the security best practices are followed, that the code follows some standards, that only safe crypto is used, etc

Do you know what research is? It is often a tedious process of going through lots of information to check all the details and to spot errors/inconsistencies/surprises.

The goal is not to find new ways to attack the code, rather it is to make sure that the code isn't vulnerable to existing attacks. A university can tell you that the lock you are using and that everyone thought was unbreakable may be cracked in 2 years. An auditor will tell you that the window is opened.

Speaking as someone who did security research while at the University, you are ill-informed.

Quit the bashing

[lbalbalba]

Hey, I'm an European, and I welcome this. Apache is widely used, and it's security is for the common good. At the very least, this is a step in the right direction. The only downside I can think of, is that Apache is already heavily scrutinized by both static analyzers and 'real human being' audits, so it this particular choice may be of limited use. Still, a mayor step forward in my opinion.

Re:

[Anonymous Coward]

I'm an American, and I too think this is fantastic. OpenSSL has shown us that lax security in open source projects can have widespread disastrous consequences. I also use and love KeePass. Bring on the audits!

Re:

[l0n3s0m3phr34k]

That should make their job easier. Having a list of known vulnerabilities is a decent start. Hopefully their not just going to run Retina, print out a report, and call it done.

Re:

[sumdumass]

They want to certify it as safe and secure then tell England that they cannot use this validation because they left the EU. Instead England will have to use the version that is identical but not as safe because it won't have the stamp on the box.

Seriously though. It sounds like maybe they are trying to look important and beneficial to remaining members to avoid another exit push gaining momentum.

Re:

[dave420]

There is absolutely no evidence supporting your claims. It is far more likely they are just trying to audit some important, widely-used open source software. It has nothing to do with posturing, Britain, or other EU members.

Re:

[Anonymous Coward]

Seriously though. It sounds like maybe they are trying to look important and beneficial to remaining members to avoid another exit push gaining momentum.

Are you sure?
To me it sounds like someone thought that maybe they should check if the software they are using is secure and that a lot of people agreed.
They then thought that it would be a good idea to have the competence to check this in-house so that they don't rely on outside sources that may or may not be compromised.

Re:

[AJWM]

Don't store your passwords on anything which requires electricity.

I'm way ahead of you. I keep them on a Post-It note cleverly hidden under my keyboard.

Re:

[lucm]

Maybe they just want to show that they don't need the UK to do computer things. After all, they still have the SAP country, the Ubisoft country, and the non-Asian cheap IT labor countries.

Audit won't be done by EU IT departments

[Anonymous Coward]

It has been contracted out to a consultancy (who might sub-contract?), as the Pirate Party MEP who started this project reports: https://juliareda.eu/2016/07/eu-audits-keepass-apache/

Which KeePass?

[LichtSpektren]

I use KeePassX, but there's also KeePass 2 and some other forks. Which one exactly will be audited?

Re:

[Anonymous Coward]

The one at keepass.info [keepass.info].
If the forks haven't made any major refactoring they should still benefit a lot from this since they can do the diff from the audited version and see if any of the problems found still is present in their code.
Sure, they can have added new ones, but that is one of the costs of making a fork.

Personally I don't like the idea of electronic password managers since I feel that too much damage would be done is the manager is compromised.
I feel that a note next to the computer with a few hi