Get Smart about Business Spending
- Related Stories
-
Open-source bug hunt project expands
March 27, 2007 -
Open-source hunt digs up more flaws
May 3, 2006 -
Developers fast to fix open-source bugs
April 4, 2006 -
LAMP lights the way in open-source security
March 6, 2006 -
Homeland Security helps secure open-source code
January 10, 2006 - Related Blogs
-
Open source security: Security in process, not code
January 9, 2008 -
U.S. Department of Defense announces open-source conference
November 13, 2007
The work is part of a U.S. government-backed project to harden open-source code.
"We applaud the developers responsible for the 11 open-source projects that have advanced to the second rung of code security and quality," said David Maxwell, open-source strategist for Coverity.
The Open Source Hardening Project, sponsored by the U.S. Department of Homeland Security, uses Coverity's Scan, which grades projects on a "ladder" according to their progress at fixing and preventing flaws.
Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL. According to Coverity, this new development means users will be able to "select these open-source applications with even greater confidence."
Several other projects are expected to advance to Rung 2 over the next few months. The Open Source Hardening Project began in January 2006 and was expanded early in 2007 to cover a list of 150 projects.
Coverity uses static source-code analysis to spot errors in code, such as open brackets. Projects on Rung 2 will move on to use the company's "satisfiability" techniques, which use a bit-accurate representation of a software system, translating every relevant software operation into Boolean values (true and false) and Boolean operators (such as and, not, or).
Coverity claims this type of analysis is a first in commercial programming and is able to spot hundreds more bugs than the tools available on Rung 1.
Although the project is clearly improving the security of open-source software, some have expressed concern that coverage of its results may produce bad publicity in the form of headlines about security flaws in open-source software.
Peter Judge of ZDNet UK reported from London.
See more CNET content tagged:
Coverity, open source, open-source software, project, analysis
In terms of security, PHP is horrible. As a programming language it is not much better.
I don't think this is bad publicity for OSS. If anything it is good news. OSS generally takes security seriously and doesn't deny and hide issues and then post fixes only when they have to like many proprietary software companies.
- While Microsoft stays at Rung 0
- by wbenton January 13, 2008 7:31 AM PST
- Many things still need to be done... but Microsoft still needs to do many things before they can even think about achieving the status of Rung 1... much less Rung 2.
- Reply to this comment
-
-
- I knew open source was BUGGY
- by NotParker January 13, 2008 5:32 PM PST
- I knew open source was BUGGY ... but WOW!!!
- View reply
Processing -
(4 Comments)Walt
7500 bugs in just the first pass.
What will it be next week? 75,000???