Community Projects Highlight Need for Security Volunteers
September 12 2019
In 2008, the Georgia Institute of Technology kicked off a course to give computer science students experience in creating applications and software for communities that might not otherwise have the resources to purchase technology.
Known as Computing for Good, the course produced some early successes. The Vein-to-Vein project created — in collaboration with Center for Disease Control (CDC) — an open source blood safety management system for clinics in Africa that could electronically track information related to specific blood samples. Similarly, the Basic Laboratory Information System (BLIS) project worked with the CDC and several nations’ ministries of health to create a system to help medical and hospital laboratories manage tests and specimens.
Other projects have included creating a system that helps manage workflow in schools for students with disabilities, and a system that analyzes images to look for illegal mining operations.
A decade later, many of these systems are still in use in some form — a testament to the power of volunteering coding skills for community projects, says Santosh Vempala, the Frederick G. Storey chair in computing and a professor of computer science at Georgia Institute of Technology.
“The challenge is to provide benefits of computing while working in the current resource-constrained environments [dealing with, among other issues] lack of Internet, water, electricity, technical skills, education, and income,” he says. “So some considerations are quite different from the developed world, and others take a relative backstage, at least for a time period.”
Risk Realities
Yet the success and longevity of the projects also put them at risk because attackers are searching for vulnerable systems — and such bespoke projects are on their radar.
On September 10, for example, vulnerability management firm Rapid7 disclosed three vulnerabilities it had found in the BLIS system during a penetration test. These vulnerabilities could have allowed an attacker to gain information on the system’s users, give an existing user administrator privileges, and then change the the user’s password — effectively gaining administrator access to a BLIS system.
Currently, such systems are deployed in almost three dozen facilities in Africa, giving them the ability to serve an important healthcare function: to collect and maintain data on the samples and testing in medical laboratories. As a result of that support, the project continues to benefit from developers’ efforts. Not only did a maintainer respond quickly to Rapid7, but developers had already identified the issues and have released an update with a patch.
Tod Beardsley, director of research at Rapid7, gives the project plaudits for its quick response to the issues, but argues that security needs to be made a priority.
“It is great that they could get fixes out, but I do think that when you are providing software, it is on you to double-check your security,” he says.
There are many such projects and efforts. Carnegie Mellon University and the University of Southern California have created similar courses and delivered projects to affiliated groups, some that are still in use today. GitHub has many open source projects written by volunteer developers, and the Free Software Foundation has supported a number of software projects, under the GNU monicker, aimed at developing communities.
“Open source maintainers are motivated by a mix of altruism, commitment to maintaining the community around the project itself, and the pride in knowing that they have developed something cool that is serving some greater need,” says Reed Loden, director of security at HackerOne.
The code-security trends of these charitable development efforts mirror those in the open source world in general. Security is often an afterthought, and as the focus of attackers shifts to less-vetted projects, such software comes under scrutiny.
Such projects need to recruit more security people, Loden says.
“There is only a small pool of people out there that have the skillset to actually fix vulnerabilities once found, and we currently do not have enough maintainers to review and apply those fixes,” he says. “In terms of motivation, many security researchers are contributors to open source and are firm believers in open source projects. They are motivated by a mix of altruism, curiosity, and. of course, if there is a bounty — though not generally the prime motivator.”
One problem is that many of these projects are used by small groups or a limited number of organizations, so they fail to gain the same scrutiny as larger, more well-known projects, says Rapid7’s Beardsley.
“You would never find this software, really, unless you were looking for it or had worked on it,” he says. “It would not show up on any list of downloaded software, and it really was not created with well-known components or frameworks that have had security scrutiny.”
Connected Complexity
Such issues become even more critical because many of these systems are moving from local installations to Internet-connected servers and even to the cloud. BLIS, for example, is undergoing a series of updates to make it ready to become an Internet-connected service, Georgia Tech’s Vempala says.
“After 10 years of entirely offline activity, countries would now like to consider moving to Internet and cloud-based healthcare data,” he says.
Currently, every existing installation in Africa is local, so the vulnerabilities found by Rapid7 are essentially moot, Vempala adds.
Georgia Tech has put a focus on the topics of security and privacy in its current incarnation of the Computing for Good course. In addition, other charitable efforts are underway as well. Google’s Patch Reward Program pays security researchers and developers up to $20,000 for finding vulnerabilities and providing a patch to a select group of open source projects. GitHub, now owned by Microsoft, offers anyone the ability to sponsor an open source project, as do many other projects such as Open Collective, Tidelift, and Community Bridge.
To date, however, most of these efforts have been aimed at large, well-known, and foundational open source efforts. Smaller community projects have fewer resources and need security professionals to volunteer as well, Rapid7’s Beardsley says.
“When you are in a position of building software for at-risk populations, populations that don’t have the normal level of resources that we might enjoy here in the US, you have a special obligation to pay attention to security,” he says. “We need volunteer efforts by security professionals and developers with security backgrounds to check in on these projects.”
Related Content:
- The Truth About Vulnerabilities in Open Source Code
- Internet Bug Bounty Receives New Funding to Expand Internet Safety Program
- Startup Virtru Supporting Sensitive Work of Nonprofits
- New Technique Makes Passwords 14M Percent Harder to Crack, Nonprofit Claims
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Pros’ Painless Guide to Machine Learning, AI, ML DL.”
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio