Security in Open Source Projects: Lessons From Mozilla and Drupal

Over the past few years, implementing security properly has become a big issue for software applications of all stripes, including open source applications and platforms. That's why I noted with interest a couple of blog posts on the topic from leaders behind two high-profile open source projects: Firefox and Drupal. In a piece called "Learning From Mozilla Security" on InternetNews, Jonathan Nightingale of Mozilla's security team, who has the title "Human Shield," provides some instructive examples of the lengths Mozilla goes to to keep Firefox secure (and security is the reason some people use the browser). Meanwhile, Dries Buytaert, founder of the open source Drupal content management system, has a post up on strategic steps he wants to put in place for a security team to police Drupal and its many modules.

Mozilla's Nightingale spoke on Firefox security at the recent RSA Security conference. He reports that Mozilla's security group currently numbers 80 people, and about a third of those are not Mozilla employees. InternetNews reports:

"A big part of how Mozilla secures its software is by way of testing often, and regularly, with a number of different techniques and tools. According to Nightingale, Mozilla runs 90,000 automated tests, using eight different test frameworks (called 'harnesses') on four platforms, at least 20 times a day."

That's a robust security effort, and Nightingale tells InternetNews that one of the key aspects to implementing such an ambitious security effort in an open source project is that everyone has to "get religion about it" up front. In his post, Dries Buytaert echoes the get religion message. He reports that Drupal's security team supported 2,000 contributed modules last year, and says "today we support over 4,000 and that number grows each day." He adds that more and more people have to be added for testing all the time. Dries also says that delegating security testing can be a potent step for protecting the security of Drupal modules:

"The security team should consider how every module maintainer can become responsible for managing their own security issues and publishing their own security advisories. By distributing the workload, we scale the security team to work within any size community, and we move the security team -- and Drupal's security model -- to the next level."

Mozilla, with the kind of funding it has through its relationship with Google, can afford many in-house people to police security, as the company clearly does. Buytaert's prescription for delegating distributed security testing across the community seems to make the most sense for most open source projects. Both Buytaert and Nightingale agree fully, though, that the commmunity must strongly back well-planned security initiatives up front, and that sounds like a central lesson for all open source project leaders.