Yesterday I wrote a story about . I have been extremely critical of IoT vendors ignoring the importance of updates and security, putting millions of users at risk. In the case of Samsung, what bothered me the most was that these devices are running Tizen OS, a Linux-based open source operating system that’s hosted by the Linux Foundation.
I reached out to the Linux Foundation to discuss the security of the project. Here is an edited version of my interview with Nicko van Someren, Chief Technology Officer, The Linux Foundation.
SB: Being a Linux Foundation project, what’s the right place for researchers to report security bugs?
NvS: Like all LF projects, the right place for researchers to report vulnerabilities is directly with the project. Each project operates independently and The Linux Foundation provides support and assistance when asked. As with most open source projects, Tizen operates both a bug tracker system and mailing lists for discussing issues.
program is designed to help open source projects design, implement and follow a security process, which can reduce the number of bugs, make security testing easier and allow vulnerabilities to be patched more swiftly if they do slip through.
SB: Is there any system in place to ensure Linux foundation backed projects remain safe and secure?
NvS: The Core Infrastructure Initiative has introduced its free program that seeks to help open source software projects achieve better security, quality and stability. The Best Practice Badge uses an online assessment tool that determines which practices are relevant to a project, determines if they follow them and helps them to implement these practices as needed. This program is open to all open source projects, not just projects affiliated with The Linux Foundation.
As well as encouraging projects to follow the best security practices, the CII is also supporting the creation of powerful open source tools for security evaluation and testing. We have been funding the development of static analysis tools, fuzz-testing tools and a variety of other tools which enable projects to test their security posture. Of course since each Linux Foundation project operates independently the CII is not in a position to force any specific project to take up specific tools but we will offer the Tizen team this support if they would like to take advantage of it.
This article is published as part of the IDG Contributor Network.