LAMP lights the way in open-source security

The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible.

The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday.

The U.S. Department of Homeland Security awarded $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis. The funding, announced in January, is for a three-year "Open Source Hardening Project."

LAMP includes the Linux operating system, Apache Web server, MySQL database and a scripting language--PHP, Perl or Python. It has been pushing its way into mainstream corporate computing, a rival to Java and Microsoft's .Net.

In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, "showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.

There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said.

Of the other open-source projects scanned, Coverity found that the Amanda back-up tool had the highest number of bugs per 1,000 lines of code, with a bug density of 1.237. The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

In absolute numbers, most defects were found in X, the low-level graphical interface software for Linux and Unix. Coverity found 1,681 defects in X, it said. With only six defects, XMMS also scored best in absolute numbers.

Coverity's analysis looked for 40 of the most critical security vulnerabilities and coding mistakes in software code. The company did not give details on the scope of the flaws it found. The analysis can't be used to measure the security of open source code next to that of proprietary code because that code is not available for scanning.

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

A PDF of the Coverity analysis is available for download (registration required).

[Broward Horne]

LAMP Meme Rising

As predicted and posted one year ago -

<a class="jive-link-external" href="http://www.realmeme.com/Main/miner/technology/LAMPlinuxDejanews.png" target="_newWindow">http://www.realmeme.com/Main/miner/technology/LAMPlinuxDejanews.png</a>


LAMP is one of the issues confronting J2EE -

<a class="jive-link-external" href="http://www.realmeme.com/Main/savingj2ee/index.jsp" target="_newWindow">http://www.realmeme.com/Main/savingj2ee/index.jsp</a>

[Captain_Spock]

How Does This "LAMP lights the way..."

... to show the projected "economic" expectations of countries around the world; also, when will the 90% plus world market-share start to use these LAMPs to see the performances! ;-)

[booboo1243]

Lighting the way for Windows users too...

LAMP is used for web-based applications, which means anything created on it is also available to Windows users. You can also run Apache, MySQL and Python/Perl/PHP on Windows (WAMP).

Now please stop with the junk about Windows being used by the majority on the desktop so it must be better than Linux running as a web server.

[booboo1243]

Lighting the way for Windows users too...

LAMP is used for web-based applications, which means anything created on it is also available to Windows users. You can also run Apache, MySQL and Python/Perl/PHP on Windows (WAMP).

Also, Apache is used on 70% on the web's servers, meaning that at some point you must've come across a web site running on LAMP (look for web sites that have .php instead of .html).

Now please stop with the junk about Windows being used by the majority on the desktop so it must be better than Linux running as a web server.

[booboo1243]

When MS doesn't sponser a study, the truth is told.

But I'll be if M$ got word of this study they were sure trying to pay people off.

[barneysmith]

Head out of the sand

Fred, before you start bagging other peoples mastery of the English language and making broad sweeping claims based on your own insecurity I suggest that you read the story correctly. This story has nothing to do with Microsoft as only Open Source products were compared.

In fact you could even argue that it highlights that the open source community does not have a solution to the challenges of writing secure software. If all bugs are shallow and the OSS community are committed to fixing the non sexy facets of a solution then why does the US government have to spend millions helping them.

Security is an incredibility hard problem to solve and to be honest some of the OSS claims are fundamentally flawed. Have a look at <a class="jive-link-external" href="http://www.developer.com/tech/article.php/10923_626641_1" target="_newWindow">http://www.developer.com/tech/article.php/10923_626641_1</a>

It is also interesting to note that many OSS products like mySQL only stay afloat because they sell licensed versions of their software (66% of their revenue) which may give them more money to spend on engineering internally themselves.
<a class="jive-link-external" href="http://www.tampatech.com/services/business_factors_in_oss_database_companies.htm" target="_newWindow">http://www.tampatech.com/services/business_factors_in_oss_database_companies.htm</a>