• On TechRepublic: 10 cool USB flash drive tricks
advertisementGet Smart about Business Spending
January 8, 2008 7:10 AM PST

11 open-source projects certified as secure

by Robert Vamosi

Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.

Eleven projects made the list: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

San Francisco-based Coverity, working in collaboration with Stanford University and under a contract from the Department of Homeland Security, is analyzing source code to certify that open-source projects written in C, C++, and Java are secure. Coverity has not disclosed the amount of the DHS contract.

The certification was created so that companies can "select these open-source applications with even greater confidence," Coverity said.

The company uses a ladder metaphor in its certification process.

Rung 2, which was announced late Monday and is the most secure level to date, includes the 11 projects. Rung 1 now includes 86 projects. Rung 0, the lowest level, currently lists 173 projects.

In all cases, open-source vendors must fix all vulnerabilities discovered by Coverity's tools in order to move up the rungs of the security ladder.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

security certification,

DHS,

Coverity,

Open Source

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Qualcomm gets into open source, pigs begin to fly
Defense Department issues new open-source guidance
Google Android needs both control and community
Can open source stop navel gazing and get real?
White House Web site makes open-source move
Slow Web site? Yahoo open-sources an app for that
Most influential open-source gurus? Votes are in
Security firm M86 acquires Finjan
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
Potentially secure
by Astinsan January 8, 2008 8:56 AM PST
Most of these items have the potential of being secure. A improper setting Postfix, php and perl can be disastrous.

I know you were really talking about the source code though. Mature projects are usually pretty good.
Reply to this comment
Good point!
by kingttx January 8, 2008 3:22 PM PST
That is a good point. Although I was going to use this for a good-hearted jab at some anti-PHP folks on our LUG list, I just can't bring myself to twist up the logic like that. Like you say, bad settings can screw up secure source.
Sec Code != Sec App
by the osd guy January 9, 2008 3:20 PM PST
What about design flaws?
What about info disclosures?
What about denial of service issues?
What about unxepected parse failures?
What about ...

There is more to secure applications than making sure ur buffers are correctly sized. Static analysis cant fully guarentee that and fuzz testing can only verify the product is as reliable as the fuzzer's randomizor logic.
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement

After 5 years, Firefox faces new challenges

Mozilla helped reshape the Web since releasing Firefox 1.0 five years ago. Now it's got a reawakened Microsoft and Google Chrome to reckon with.

There's a map for that: GPS or smartphone?

Almost every handset comes with mapping software these days, but standalone GPS devices are becoming more affordable than ever.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET