Get Smart about Business Spending
- Related Stories
-
Homeland Security helps secure open-source code
January 10, 2006 -
Key bugs in core Linux code squashed
August 3, 2005 -
Microsoft looks to extinguish LAMP
June 15, 2005 -
Open-source LAMP a beacon to developers
June 14, 2005 -
Study: Few bugs in MySQL database
February 4, 2005 -
Security research suggests Linux has fewer flaws
December 13, 2004 -
Will code check tools yield worm-proof software?
May 26, 2004
The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday.
The U.S. Department of Homeland Security awarded $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis. The funding, announced in January, is for a three-year "Open Source Hardening Project."
LAMP includes the Linux operating system, Apache Web server, MySQL database and a scripting language--PHP, Perl or Python. It has been pushing its way into mainstream corporate computing, a rival to Java and Microsoft's .Net.
In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, "showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.
There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said.
Of the other open-source projects scanned, Coverity found that the Amanda back-up tool had the highest number of bugs per 1,000 lines of code, with a bug density of 1.237. The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.
In absolute numbers, most defects were found in X, the low-level graphical interface software for Linux and Unix. Coverity found 1,681 defects in X, it said. With only six defects, XMMS also scored best in absolute numbers.
Coverity's analysis looked for 40 of the most critical security vulnerabilities and coding mistakes in software code. The company did not give details on the scope of the flaws it found. The analysis can't be used to measure the security of open source code next to that of proprietary code because that code is not available for scanning.
As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.
A PDF of the Coverity analysis is available for download (registration required).
See more CNET content tagged:
Coverity, open-source project, defect, open-source software, open source
http://www.realmeme.com/Main/miner/technology/LAMPlinuxDejanews.png
LAMP is one of the issues confronting J2EE -
http://www.realmeme.com/Main/savingj2ee/index.jsp
Now please stop with the junk about Windows being used by the majority on the desktop so it must be better than Linux running as a web server.
Also, Apache is used on 70% on the web's servers, meaning that at some point you must've come across a web site running on LAMP (look for web sites that have .php instead of .html).
Now please stop with the junk about Windows being used by the majority on the desktop so it must be better than Linux running as a web server.
- When MS doesn't sponser a study, the truth is told.
- by booboo1243 March 6, 2006 5:25 PM PST
- But I'll be if M$ got word of this study they were sure trying to pay people off.
- Like this Reply to this comment
-
-
- Head out of the sand
- by barneysmith March 7, 2006 3:50 PM PST
- Fred, before you start bagging other people?s mastery of the English language and making broad sweeping claims based on your own insecurity I suggest that you read the story correctly. This story has nothing to do with Microsoft as only Open Source products were compared.
- Like this
-
(9 Comments)In fact you could even argue that it highlights that the open source community does not have a solution to the challenges of writing secure software. If all bugs are shallow and the OSS community are committed to fixing the non sexy facets of a solution then why does the US government have to spend millions helping them.
Security is an incredibility hard problem to solve and to be honest some of the OSS claims are fundamentally flawed. Have a look at http://www.developer.com/tech/article.php/10923_626641_1
It is also interesting to note that many OSS products like mySQL only stay afloat because they sell licensed versions of their software (66% of their revenue) which may give them more money to spend on engineering internally themselves.
http://www.tampatech.com/services/business_factors_in_oss_database_companies.htm