European Commission to audit Apache HTTP Server and Keepass
The European Commission is preparing a software source code security audit on two software solutions, Apache HTTP server and Keepass, a password manager. The source code will be analysed and tested for potential security problems, and the results will be shared with the software developers. The audits will start in the coming weeks.
The security audit test is the next phase in the pilot project, involving the IT departments of both the Commission and the European Parliament.
The choice for Apache HTTP Server and Keepass is the result of a public survey. Between 17 June and 8 July, the EU-FOSSA project asked the public to help select the most-appropriate software solution, based on a pre-selection of open source solutions in use at the two European institutes. The survey received 3282 comments, with respondents favouring Keepass and Apache HTTP Server.
“We received 3282 answers, including many interesting and encouraging comments”, said Pierre Damas at the European Commission’s Directorate General for IT (DIGIT). “The number of responses are a clear indication of the appreciation for the EU-Fossa project.”
Last week, the results of the survey were discussed with representatives of the European Parliament. Julia Reda, one of the two MEPs who proposed the project in 2014, urged to increase its efforts to involve open source communities. “Make sure the project results in real code contributions, and does not end in hefty reports that no developer will read”, she said.
Earlier that same day, Matthias Kirschner, vice-president of the Free Software Foundation Europe, on his blog worried that the project would result in a “set of consultancy reports that nobody will ever read”. In response, the EU-FOSSA team emphasised they will be contacting the project owners, to get them closely involved in the audit.
The EU-FOSSA pilot is to result in a systematic approach for the EU institutions to make sure that widely-used key open source components can be trusted. The project will should also allow the EU institutions to contribute to the integrity and security of key open source software. The EC and the EP are looking for funds to continue the project after December, when the pilot will end.