David A. Wheeler's Blog

Sat, 09 Feb 2019

Railroader: Security static analysis tool for Ruby on Rails (Brakeman fork)

I’ve kicked off the Railroader project to maintain a security static analysis tool for Ruby on Rails that is open source software. If you are developing with Ruby on Rails, please consider using Railroader. We would also really love contributions, so please contribute!

A security static analysis tool (analyzer) examines software to help you identify vulnerabilities (without running the possibly-vulnerable program). This helps you find and fix vulnerabilities before you field your web application. Ruby on Rails is a popular framework for developing web applications; sites that use Rails include GitHub, Airbnb, Bloomberg, Soundcloud, Groupon, Indiegogo, Kickstarter, Scribd, MyFitnessPal, Shopify, Urban Dictionary, Twitch.tv, GitLab, and the Core Infrastructure Initiative (CII) Best Practices Badge.

In the past the obvious tool for this purpose was Brakeman. However, Brakeman has switched to the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 Public License (CC-BY-NC-SA-4.0). This is not an open source software license since it cannot be used commercially (an OSS license cannot discriminate against a field of endeavor). Similarly, it is not a free software license (since you cannot run the program as you wish / for any purpose). You can verify this by looking at the Brakeman 4.4.0 release announcement, the SPDX license list, Debian’s “The Debian Free Software Guidelines (DFSG) and Software Licenses”, Various Licenses and Comments about Them (Free Software Foundation), and Fedora’s Licensing:Main (Bad Licenses list). Railroader conitinues using the original licenses: MIT for code and CC-BY-3.0 for the website. MIT, of course, is a very well-known and widely-used open source software license.

If you are currently using Brakeman, do not update to Brakeman version 4.4.0 or later until you first talk with your lawyer. At the very least, if you plan to use newer versions of Brakeman, check their new license carefully to make sure that there is no possibility of a legal issue. This license change was part of a purchase of Brakeman by Synopsys. Synopsys is a big company, and they definitely have the resources to sue people who don’t obey their legal terms. Even if they didn’t, it is not okay to use software when you don’t have the right to do so. Either make sure that you have no legal issues… or just switch to Railroader, where nothing has changed.

Unfortunately, it is really easy to “just upgrade to the latest release” of Brakeman without realizing that this is a major license change. I suspect a lot of people will just automatically download and run the latest version, and have no idea that this is happening. I only noticed because I routinely use software license checkers (license_finder in my case) so that I immediately notice license changes in a newer version. I strongly recommend adding static source code analyzers and license checkers as part of your continuous integration (CI).

We assume that “Brakeman” is now a trademarked by Synopsys, Inc, so we’ve tried to rename everything so that the projects are clearly distinct. If we’ve missed something, please let us know and we’ll fix it. The term “Railroader” is a play on the word Rails, but it is obviously a completely different word. Railroader shares a common code base historically with Brakeman, and that’s important to explain, but they are not the same projects and we are expressly trying to not infringe on any Brakeman trademark. It’s obviously legal to copy and modify materials licensed under the MIT and CC-BY-3.0 licenses (that’s the purpose of these licenses), so we believe there is no legal problem.

I think I have a reasonable background for starting this project. I created and maintain flawfinder, a security static analysis tool for C/C++, since 2001. I literally wrote the book on developing secure software; see my book Secure Programming HOWTO. I even teach a graduate class at George Mason Univerity (GMU) on how to develop secure software. For an example of how I approach securing software in an affordable way, see my video How to Develop Secure Applications: The BadgeApp Example (2017-09-18) or the related document BadgeApp Security: Its Assurance Case. I have also long analyzed software licenses, e.g., see The Free-Libre / Open Source Software (FLOSS) License Slide, Free-Libre / Open Source Software (FLOSS) is Commercial Software, and Publicly Releasing Open Source Software Developed for the U.S. Government.

While Railroader is a project fork, we hope that this is not a hosttile fork. We will not accept software licensed only under CC-BY-NC-SA-4.0, since that is not an OSS license. But we’ll gladly accept good contributions from anyone if they are released under the original OSS licenses (MIT for software, CC-BY-3.0 for website content). If the Brakeman project wants to cooperate in some way, we’d love to talk! We are all united in our desire to squash out vulnerabilities before they are deployed. In addition, we’re grateful for all the work that the Brakeman community has done.

So, again: If you are developing with Ruby on Rails, please consider using Railroader. We would also really love contributions, so please contribute!

path: /oss | Current Weblog | permanent link to this entry

Mon, 19 Nov 2018

Get your CII best practices badge!

Are you developing open source software (OSS)? Selecting some? If you’re developing OSS, earn a best practices badge from the Linux Foundation Core Infrastructure Initiative (CII). If you’re selecting OSS, prefer OSS that has earned a badge. The badge shows that the project is applying the best practices for today’s projects. Check out this short Youtube video summary or the CII Best Practices badge website.

path: /oss | Current Weblog | permanent link to this entry

Wed, 04 May 2016

Get your CII best practices badge!

If you’re involved in a free / libre / open source software (FLOSS) project, go to bestpractices.coreinfrastructure.org and get your best practices badge!

The Linux Foundation’s Core Infrastructure Initiative (CII) has just announced its CII best practices badging program for FLOSS projects. It’s a free program that lets developers explain how they follow best practices, and if they do, they can get a badge that they can show on their GitHub page or anywhere else. Early badge earners include the Linux kernel, Curl, GitLab, OpenBlox, OpenSSL, Node.js and Zephyr.

The idea is straightforward. The Heartbleed vulnerability in OpenSSL made it obvious that there are widely-accepted best practices that not everyone is doing - and that even includes important projects. This isn’t just speculation; if you compare OpenSSL before Heartbleed with current OpenSSL the difference is striking. I think it’s clear that if more projects would apply generally-accepted best practices, we’d have more secure software. This badging process helps projects identify those best practices, determine if they meet them, and show everyone else that they’re meeting them.

The web application and criteria are being maintained as an open source software project, so we’d love to have you! I say “we” because I’m leading this project… but it’s not just me, and we would love to have you involved.

More detail is in the Linux Foundation press release about the best practices badging project.

path: /oss | Current Weblog | permanent link to this entry

Thu, 10 Mar 2016

US government - Reusable and Open Source Software

The US White House has announced (in its blog) Leveraging American Ingenuity through Reusable and Open Source Software. They state that, “Today, we’re releasing for public comment a draft policy to support improved access to custom software code developed for the Federal Government.” They are accepting comments on this draft policy via GitHub pull requests, GitHub issues, or email. I definitely plan to take a look, and I’m sure they would like feedback from many people.

Note that I also posted this information on Twitter.

path: /oss | Current Weblog | permanent link to this entry

Mon, 01 Feb 2016

Using open source software to help technology transition of research

If you’re doing software research and development (especially on how to improve computer security), and are thinking about using an open source software (OSS) approach but don’t know a lot about it, here’s something that may help: Using an Open Source Software Approach for Cybersecurity Technology Transition (IDA paper P-5279, aka the “PI guide”). If you’re an old hand at developing Free/ libre/ open source software (FLOSS or OSS), you probably know most of this information. However, I’ve found that a lot of people could use a hand. Here’s that helping hand.

path: /oss | Current Weblog | permanent link to this entry

Fri, 09 Oct 2015

Government adoption of OSS

If you’re interested in open source software (OSS), or in how governments can work better, take a look! Mark Bohannon has posted the article “U.S. report highlights positive elements of government open source adoption” on Opensource.com. This discusses a paper Tom Dunn and I wrote Open Source Software in Government: Challenges and Opportunities, and discusses a few things that have happened since. Enjoy!

path: /oss | Current Weblog | permanent link to this entry

Wed, 30 Sep 2015

Reveloping open source software in Linux Foundation projects: $5 billion and 30 years

The Linux Foundation now estimates it would cost $5 billion and 30 years to redevelop “the software residing in The Linux Foundation’s collaborative projects”. That’s not even all free / libre / open source software (FLOSS). Of course, there are many caveats, but that’s still an intriguing number; it provides a simple view of just how big FLOSS has become. They also credit me, since they applied the same general process I developed earlier in my “More than a Gigabuck” paper. Thanks! If you’re interested in FLOSS, I think you’ll find this paper intriguing.

path: /oss | Current Weblog | permanent link to this entry

Fri, 27 Mar 2015

Z3 is OSS!

Z3 has been released as open source software under the MIT license! This is great news. Z3 is a good satisifiability modulo theories (SMT) solver / theorem prover from Microsoft Research. An SMT solver accepts a set of constraints (such as “a<5 and a>1”) and tries to produce values that satisfy all the constraints. A satisfiability (SAT) solver does this too, but SAT solvers can only work with boolean variables; SMT solvers can handle other types, such as integers. Here is a Z3 tutorial.

SMT solvers are basically lower-level tools that have many uses for building larger capabilities, because many problems require solving logical formulas to find a solution.

I am particularly interested in the use of SMT solvers to help prove that programs do something or do not do something. Why3 is a platform that lets you write programs and their specifications, and then calls out to various provers to try to determine if the claims are true. By itself Why3 only supports its WhyML language, but Why3 can be combined with other tools to prove statements in other languages. Those include C (using Frama-C and a plug-in), Java, and Ada. People have been able to prove tiny programs for decades, but scaling up to bigger programs in practice requires a lot of automation. I think this approach of combining many different tools, with different strengths, is very promising.

The more tools that are available to Why3, the more likely it will solve problems automatically. That’s because different tools use different heuristics and focus on different issues, resulting in different ones being good at different things. There are already several good SMT solvers available as OSS, including CVC4 and alt-ergo.

Now that Microsoft has released Z3 as OSS, there is yet another strong OSS SMT solver that tools like Why3 can use directly. In short, the collection of OSS SMT solvers has just become even stronger. There’s a standard for SMT solver inputs, the SMT-LIB format, so it’s not hard to take advantage of many SMT solvers. My hope is that this will be another step in making it easier to have strong confidence in software.

path: /oss | Current Weblog | permanent link to this entry

Mon, 20 Oct 2014

Open Source Software in U.S. Government

The report “Open Source Software in Government: Challenges and Opportunities” is available to the public (you can jump to the “Download full report” link at the bottom). This paper, which I co-authored, discusses key challenges and opportunities in the U.S. government application of open source software (OSS). It became publicly available only recently, even though it was finished a while back; I hope it’s been worth the wait. If you’re interested in the issues of OSS and government, I think you’ll find this report very illuminating.

path: /oss | Current Weblog | permanent link to this entry

Wed, 21 May 2014

On Dave and Gunnar show

There is now an interview of me on the Dave and Gunnar show (episode #51). I talk mostly about How to prevent the next Heartbleed. I also talk about my FLOSS numbers database (as previously discussed) and vulnerability economics. There was even a mention of my Fully Countering Trusting Trust through Diverse Double-Compiling work.

Since the time of the interview, more information has surfaced about Heartbleed. Traditional fuzzing could not find Heartbleed, but it looks like some fuzzing variants could even if the OpenSSL code was unchanged; see the latest version for more information. If you learn more information relevant to the paper, let me know!

path: /oss | Current Weblog | permanent link to this entry

Thu, 08 May 2014

FLOSS numbers database!

If you are doing research related to Free / Libre / Open Source Software (FLOSS), then I have something that may be useful to you: the FLOSS numbers database.

My paper Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers! is a big collection of quantitative studies about FLOSS. Too big, in fact. There have been a lot of quantitative studies about FLOSS over the years! A lot of people want to query this information for specific purposes, and it is hard to pull out just the parts you want from a flat document. I had thought that as FLOSS became more and more common, fewer people would want this information… but I still get requests for it.

So I am announcing the FLOSS numbers database; it provides the basic information in spreadsheet format, making it easy to query for just the parts you want. My special thanks go to Paul Rotilie, who worked to get the data converted from my document format into the spreadsheet.

If you want to discuss this database, I have set up a discussion group: Numbers about Free Libre Open Source Software. If you are doing research and need or use this kind of information, please feel free to join. If you just need a presenatation based on this, you might like my Presentation: Why Free-Libre / Open Source Software (FLOSS or OSS/FS)? Look at the Numbers!.

This database is the sort of thing that if you need it, you really need it. I am sure it is incomplete… but I am also sure that with your help, we can make it better.

path: /oss | Current Weblog | permanent link to this entry

Thu, 24 Apr 2014

Opensource.com interview

Opensource.com has posted an interview of me, titled “US government accelerating development and release of open source”. In this interview I describe the current state of the use of open source software by the US federal government, the challenges of the Federal acquisition system, and I also discuss what may happen next. Enjoy!

path: /oss | Current Weblog | permanent link to this entry

Thu, 20 Feb 2014

Presenting at American Society for Quality

On February 25, 2014, I will be presenting on “Open Source Software and Government” at the American Society for Quality (ASQ) Software SIG. You can join in person in McLean, Virginia; there will also be various video tele-conferencing sites, and you can join by phone or online as well.

If you’re interested, you’re welcome to join us, but you’ll need to pre-register.

path: /oss | Current Weblog | permanent link to this entry

Fri, 07 Feb 2014

William W. McCune: He made the world a better place through source code

Here I want to honor the memory of William W. (“Bill”) McCune, who helped change the world for the better by releasing software source code. I hope that many other researchers and government policy-makers will follow his lead… and below I intend to show why.

But first, I should explain my connection to him. My PhD dissertation involved countering the so-called “trusting trust” attack. In this attack, an attacker subverts the tools that developers use to create software. This turns out to be a really nasty attack. If a software developer’s tools are subverted, then the attacker actually controls the computer system running the software. This is no idle concern, either; we know that computers are under constant attack, and that some of these attacks are very sophisticated. Such subversions could allow attackers to essentially control all computers worldwide, including the global financial system, militaries, electrical systems, dams, you name it. That kind of power makes this kind of attack potentially worthwhile, but only if it cannot be detected and countered. For many years there were no good detection mechanisms or countermeasures. Then Henry Spencer suggested a potential solution… but there was no agreement that his idea would really counter attackers. That matters; how can you be absolutely certain about some claim?

The “gold standard” for knowing if something is true is a formal mathematical proof. Many important questions cannot be proved this way, all proofs depend on assumptions, and creating a formal proof is often hard. Still, a formal mathematical proof is the best guarantee we have for being certain about something. And there were a lot of questions about whether or not Henry Spencer’s approach would really counter this attack. So, I went about trying to prove that Henry Spencer’s idea really would counter the attack (if certain assumptions held).

After trying several other approaches, I found that the tools developed by Bill McCune (in particular prover9, mace4, and ivy) were perfect for my needs. These tools made my difficult work far easier, because his tools managed to mostly-automatically prove claims mathematically once they were described using mathematical statements. In the end, I managed to mathematically prove that Henry Spencer’s approach really did counter the subverted compiler problem. The tools Bill McCune developed and released made a real difference in helping to solve this challenging real-world problem. I didn’t need much help (because his tools were remarkably easy to use and well-documented), but he responded quickly when I emailed him too.

Sadly, Bill McCune suddenly died on May 4, 2011, leaving the field of automated reasoning deprived of one of its founders (particularly in the subfields of practical theorem proving and model building). In 2013 an academic book was released in his honor (“Automated Reasoning and Mathematics: Essays in Memory of William W. McCune”, Lecture Notes in Artificial Intelligence 7788). That book’s preface has a nice tribute to Bill McCune, listing some of his personal accomplishments (e.g., the development of Otter) and other accomplishments that his tools enabled.

Bill McCune released many tools as open source software (including prover9, mace4, ivy, and the older tool Otter). This means that anyone could use the software (for any purpose), modify it, and distribute it (with or without modification). These freedoms had far-reaching effects, accelerating research in automated proving of claims, as well as speeding the use of these techniques. That book’s preface notes several of Bill McCune’s accomplishments, including the impact he had by releasing the code:

All too often the U.S. government spends a fortune in research, and then that same research has to be recreated from scratch several times again by other researchers (sometimes unsuccessfully). This is a tremendous waste of government money, and can delay work by years (if it can happen at all) resulting in far less progress for the money spent. Bill McCune instead ensured that this results got out to people who could use and improve upon them. In this specific area Bill McCune made software research available to many others, so that those others could use it, verify it, and build on top of those results.

Of course, he was not alone in recognizing the value of sharing research when implemented as software. The paper ”The Evolution from LIMMAT to NANOSAT” by Armin Biere (April 2004) makes the same point when they tried to reproduce others’ work. That paper states, “From the publications alone, without access to the source code, various details were still unclear… what we did not realize, and which hardly could be deduced from the literature, was [an optimization] employed in GRASP and CHAFF [was critically important]… Only [when CHAFF’s source code became available did] our unfortunate design decision became clear… The lesson learned is, that important details are often omitted in publications and can only be extracted from source code. It can be argued, that making source code … available is as important to the advancement of the field as publication.”

More generally, Free the Code.org argues that if government pays to develop software, then it should be available to others for reuse and sharing. That makes sense to me; if “we the people” paid to develop software, then by default “we the people” should receive it. I think it especially makes sense in science and research; without the details of how software works, results are not reproduceable. Currently much of science is not reproduceable (and thus not really science), though open science efforts are working to change this.

I think Bill McCune made great contributions to many, many, others. I am certainly one of the beneficiaries. Thank you, Bill McCune, so very much for your life’s work.

path: /oss | Current Weblog | permanent link to this entry

Sun, 01 Dec 2013


I just learned about shellcheck, a tool that reports on common mistakes in (Bourne) shell scripts. If you write shell scripts, you should definitely check out this static analyzer. You can try it out by pasting shell scripts into their website. It is open source software, so you can also download and use it to your heart’s content.

It even covers some of the issues identified in Filenames and Pathnames in Shell: How to do it Correctly. If you are interested in static analyzers for software, you can also see my Flawfinder home page which identifies many other static analysis tools.

path: /oss | Current Weblog | permanent link to this entry

Wed, 21 Aug 2013

Open security

Modern society depends on computer systems. Yet computer security problems let attackers subvert the very systems that society depends on. This is a serious problem.

I think one approach that could help is “open security” - applying open source software (OSS) approaches to help solve computer security problems. To see why, let’s look at some background.

Back in the 1970s people collaboratively developed software that today we would call open source software or free-libre software. At the time many assumed these approaches could not scale up to big systems… but they were wrong. Software systems that would cost over a billion U.S. dollars to redevelop have been developed as open source software, and Wikipedia has used similar approaches to collaboratively develop the world’s largest encyclopedia.

So… if we can collaboratively develop multi-billion software systems, and large encyclopedias, can we use the same kinds of collaborative approaches to improve computer security? I believe we can… but if we are going to do this, we need to define a term for this (so that we can agree on what we are doing!).

I propose that open security is the application of open source software (OSS) approaches to help solve cyber security problems. OSS approaches collaboratively develop and maintain intellectual works (including software and documentation) by enabling users to use them for any purpose, as well as study, create, change, and redistribute them (in whole or in part). Cyber security problems are a lack of security (confidentiality, integrity, and/or availability), or potential lack of security (a vulnerability), in computer systems and/or the networks they are a part of. In short, open security improves security through collaboration.

You can see more details in my paper What is open security? [PDF] [DOC]. I intentionally built on previous work such as the Free Software Definition by the Free Software Foundation (FSF), the Open Source Definition (Annotated) by the Open Source Initiative (OSI), the Creative Commons license work, and the Definition of Free Cultural Works by Freedom Defined (the last one is, for example, the basis of the Wikimedia/Wikipedia licensing policy).

The Open security site has been recently set up so that you and others can join and get involved. So please - get involved! We are only just starting, and the direction we go depends on the feedback we get.

Further reading:

path: /oss | Current Weblog | permanent link to this entry

Tue, 30 Apr 2013

OSS License Clinic

If you’re interested in understanding the legal, contract, or government acquisition issues in applying free / libre / open source software (FLOSS), come to the “Open Source License Clinic” on May 9, 2013, 9am-noon (EDT), in Washington, DC. This clinic will be hosted by the non-profit Open Source Initiative (OSI), and is “designed as a cross-industry, cross-community workshop for legal, contract, acquisition and program professionals who wish to deepen their understanding of open source software licenses, and raise their proficiency to better serve their organizations objectives as well as identify problems which may be unique to government. Discussion of licenses and issues in straight-forward terms make the clinic of value to anyone involved in the lifecycle of a technology decision/acquisition or strategy for internal software development.”

I’m one of the speakers, along with:

The location for the license clinic will be:

101 Independence Ave SE
Madison Building, 6th Floor, Dining Room A
Washington, DC 20540

You might also be interested in the Open Source Community Summit on May 10 (the following day) in Washington, DC.

path: /oss | Current Weblog | permanent link to this entry

Thu, 21 Mar 2013

French government OSS policy

Free/libre/open source software (FLOSS) continues to grow around the world, and governments around the world are trying to establish policies about it. Yet in the U.S. we often don’t hear about them. I just posted about a UK policy; here’s a recent French policy, translated into English.

The French administration, in September 2012, established a set of guidelines and recommendations on the proper use of Free Software (aka open source software) in the French government. This is called the “Ayrault Memorandum” (circulaire Ayrault, in French) and was signed in September 2012 by the French Prime Minister. The document was mainly produced by the DISIC (the Department of Interministerial Systems Information and Communication) and the CIOs of some departments. The DISIC is in charge of coordinating the administration actions on information systems.

path: /oss | Current Weblog | permanent link to this entry

Mon, 18 Mar 2013

UK Government prefers OSS

The UK government is mandating a “preference” for open source software in its Government Service Design Manual Open Source section, to be effective April 2013. The draft manual says, “Use open source software in preference to proprietary or closed source alternatives, in particular for operating systems, networking software, web servers, databases and programming languages.”

path: /oss | Current Weblog | permanent link to this entry

Tue, 22 Jan 2013

Speaking at ACM DC Chapter

FYI, on 2013-03-04 I plan to speak about “Open Source Software, Government, and Cyber Security” at the Association for Computing Machinery (ACM), Washington, DC Chapter. It will be at 1203 19th St, 3rd Floor, Washington, DC. See the link for more information.

path: /oss | Current Weblog | permanent link to this entry