[ISN] Open source, proprietary codes include similar mistakes

From: InfoSec News (alerts@private)
Date: Mon May 26 2008 - 23:09:56 PDT


By Wilson P. Dizard III

A two-year study of more than 55 million lines of code showed that 
open-source systems include a variety of errors that closely track those 
found in software written for proprietary systems.

The incidence of those errors in open-source code is declining, 
according to a study that the Homeland Security Department funded. The 
department hired Coverity to analyze more than 55 million lines of code 
in two years as part of the government.s Open Source Code Hardening 

Coverity used its Scan service to help open-source developers improve 
their products' security by pinpointing and categorizing code flaws. 
Scan uses the company's widely deployed Coverity Prevent static 
source-code analysis system.

The two-year project covered more than 250 popular open-source projects.

Open-source software products are improving in quality and security, 
according to the study. Using the Scan service, researchers detected a 
16 percent reduction in source code errors, based on a measure known as 
static analysis defect density, during the past two years. Project 
researchers cited a report from Gartner that states that by 2012, as 
many as four-fifths of all commercial software will include open-source 

The Scan site sorts open-source projects into rungs based on their 
success in eliminating defects, Coverity said. "Projects at higher rungs 
receive access to additional analysis capabilities and configuration 
options," it said. "Projects are promoted as they resolve the majority 
of defects identified at their current rung."

"The continued improvement of projects that already possess strong code 
quality and security underscores the commitment of open-source 
developers to create software of the highest integrity," said David 
Maxwell, open-source strategist at Coverity.

The company said its initial two-year DHS contract is ending, and 
Coverity will continue to operate the Scan site because of the favorable 
response the project has received from software developers and others in 
the open-source community.

The full Open Source Report 2008 is available here [1].

[1] http://www.gcn.com/newspics/Coverity_OpenSourceReport2008.pdf

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon May 26 2008 - 23:25:43 PDT