• On CBS MoneyWatch: 7 INAPPROPRIATE Interview Questions
advertisement
January 8, 2008 7:10 AM PST

11 open-source projects certified as secure

by Robert Vamosi

Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.

Eleven projects made the list: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

San Francisco-based Coverity, working in collaboration with Stanford University and under a contract from the Department of Homeland Security, is analyzing source code to certify that open-source projects written in C, C++, and Java are secure. Coverity has not disclosed the amount of the DHS contract.

The certification was created so that companies can "select these open-source applications with even greater confidence," Coverity said.

The company uses a ladder metaphor in its certification process.

Rung 2, which was announced late Monday and is the most secure level to date, includes the 11 projects. Rung 1 now includes 86 projects. Rung 0, the lowest level, currently lists 173 projects.

In all cases, open-source vendors must fix all vulnerabilities discovered by Coverity's tools in order to move up the rungs of the security ladder.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

security certification,

DHS,

Coverity,

Open Source

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Survey: 98 percent of enterprises using open source
Lacking Oracle help, OpenSolaris group disbands
Meet Project Vigilant--the Wikileaks leak
Flywheel power grid storage project gets DOE loan
'Anti-Facebook' project nears launch
Where's my 4G?
Nimbula raises $15 million more for private cloud
Why Oracle, not Sun, sued Google over Java
Add a Comment (Log in or register) (3 Comments)
  • prev
  • next
Potentially secure
by Astinsan January 8, 2008 8:56 AM PST
Most of these items have the potential of being secure. A improper setting Postfix, php and perl can be disastrous.

I know you were really talking about the source code though. Mature projects are usually pretty good.
Reply to this comment
Good point!
by kingttx January 8, 2008 3:22 PM PST
That is a good point. Although I was going to use this for a good-hearted jab at some anti-PHP folks on our LUG list, I just can't bring myself to twist up the logic like that. Like you say, bad settings can screw up secure source.
Sec Code != Sec App
by the osd guy January 9, 2008 3:20 PM PST
What about design flaws?
What about info disclosures?
What about denial of service issues?
What about unxepected parse failures?
What about ...

There is more to secure applications than making sure ur buffers are correctly sized. Static analysis cant fully guarentee that and fuzz testing can only verify the product is as reliable as the fuzzer's randomizor logic.
Reply to this comment
(3 Comments)
  • prev
  • next
advertisement
CNET River

  • jetscott: Hey Jets haters, shelve those fantasies: Revis is coming back.

  • caro: Just spotted Fish and Chips @ Liberal Cup on @Foodspotting http://bit.ly/b6qzu7

  • raygun01: Arrive home and power up my Mac Pro to find it spontaneously rebooting. Sometimes after a full OS bootup, others repeatedly at Apple logo.

  • caro: BURGERS!!!! RT @EmilyGannett Finished with @caro's boot camp - 6m run followed by a 7.6m hike. Now, what's for dinner?!?

  • jetscott: iPhone 4 browsing gets crazy at such high resolutions. My thumb needs tiny fingers.

  • jetscott: Migraine has destroyed my afternoon. Living in a dark room, trying to make peace with the pain.

  • stshank: Rebates for a few days on seven Tamron lenses: http://bit.ly/bnzmu1

  • mollywood: Q: are no-contract phone prices even remotely based in reality? I mean, does a Droid 2 really cost more to make than an iPad? Rant brewing.

  • caro: Rainbow visible from summit (4170 ft) (@ Old Speck Mountain) http://4sq.com/cvyqU9

  • antgoo: Jeez, any time you save by driving in this city is immediately lost looking for parking... And then some!

  • Former HP CEO Mark Hurd heading to Oracle?
  • World's best sounding 3D Blu-ray

  • jetscott: Talking Apple TV on WGN Chicago radio in just a few minutes.

  • raygun01: Lucy is cutting four teeth at once... and we are flying cross country all day. If ever we needed a miracle, now would be the time.

  • Aboard an Alcatel-Lucent undersea cable ship (photos)

  • stshank: Ha! RT @diveintomark: PING: YOUR FRIEND HAS BEEN REJECTED BECAUSE SHE DUPLICATES THE FUNCTIONALITY OF AN EXISTING FRIEND.

  • stshank: What happened to fast user switching from Windows XP to Windows 7? It takes *forever* now. It had been a real advantage over Mac OS X.

  • stshank: .@jnack If you want to blow off steam about the garbage that is Star Wars prequels, I recommend RedLetterMedia: http://bit.ly/cquHAx

  • danackerman: Saturday's conversation about new Android tablets, including the Samsung Galaxy Tab, on MSNBC: http://t.co/b383pO3

  • caro: I made it! RT @ohhleary: Last course of dinner: Icebox Chocolate Cake with Bar Harbor Cadillac Mountain Stout http://plixi.com/p/43341618

  • loricnet: Or at least raw+JPG RT @Photocritic: Friends don't let friends shoot JPG. pick up your camera right now, switch it to RAW, never change it.

  • jetscott: Take a look at the Patriots' final roster, then tell me how exactly they're supposed to win the AFC East.

  • danackerman: At the Film Forum, about to see The Tinger, presented in original "Percepto" format http://yfrog.com/4blmscj

  • Kindle vs. Nook vs. iPad: Which e-book reader should you buy?

  • caro: Time for an authentic @ohhleary local beer tasting http://twitpic.com/2lbp82

Chrome reshapes the browser market

The influence that Google's browser has had on the market is broader than its actual use. On Chrome's second anniversary, Google releases the sixth stable version.

Apple rolls out new iPods, social iTunes

A new version of Apple TV is also coming soon, as Apple follows its usual September playbook in refreshing its iPod lineup and the iTunes software.
• Roundup: New iPods, iTunes, TV?

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
Video
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET API
About CNET