CRM News: Bugs: Coverity Certifies 11 Open Source Bug Hunters

Coverity Certifies 11 Open Source Bug Hunters

By Chris Maxcer
LinuxInsider
Part of the ECT News Network
01/10/08 3:10 PM PT

With a grant from the Department of Homeland Security, security firm Coverity has been scanning open source security software for holes since 2006. In the hundreds of projects scanned, the project has fixed 7,500 holes, according to Coverity. Open source projects analyzed at the site include some of the world's most widely used applications, including the Apache Web server and Firefox.

To thrive in today’s highly competitive business environment, you need innovative approaches to attract and retain customers. Click here to see how Salesforce.com, West Marine, and VForce-AAA Ohio use LiveOps to optimize their customer experiences.

San Francisco-based security firm Coverity has been working with support from the U.S. Department of Homeland Security (DHS) and with Stanford University to find flaws in open source software, and it looks like they've found plenty.

Since March 2006, an online Coverity software scanning site has analyzed 50 million lines of software in more than 250 projects, which ultimately led to 7,500 software defect fixes, 6,000 of which occurred in the first year.

The scanning comes courtesy of a DHS grant that's part of the federal government's Open Source Hardening Project. The project is designed to make open source software more secure for businesses and government agencies that utilize it.

Movin' On Up

More importantly, Coverity announced this week that 11 popular open source projects have graduated to "rung 2" of Coverity's open source security ladder, which means basic security vulnerabilities have been fixed and the developers of the project have built up experience with Coverity's Prevent toolset. At rung 2, the open source projects will benefit from more thorough testing using Coverity's upgraded scanning solutions, which can root out hard-to-find defects.

The 11 projects are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba and TCL.

"We applaud the developers responsible for the 11 open source projects that have advanced to the second rung of code security and quality at the Coverity Scan site," noted David Maxwell, open source strategist for Coverity.

In addition to the 11 projects, additional open source projects are poised for advancing to rung 2 over the next months.

Popular Projects

Open source projects analyzed at the site include some of the world's most widely used applications, including the Apache Web server, the Linux operating system, the Firefox browser and the Samba file and printer sharing system, Coverity said.

The company noted that hundreds of open source developers have integrated the use of Coverity's technology into their open source development process to improve software quality and security.

Intrinsic Flaws?

The obvious question is, are open source projects more likely to have security weaknesses than commercial software?

"The research varies. Closed source software advocates will tell you that the lack of available source code as well as commercial interests result in more secure products, while open source software advocates will tell you that many eyes make for shallow bugs, and that patch speed is dramatically increased," Stephen O'Grady, an analyst for RedMonk, told LinuxInsider.

"Ultimately, my view is that all software -- closed or open -- will have vulnerabilities. But nothing I've seen has led me to believe that open source software is intrinsically less secure," he added.

The Coverity Scan site is freely available to qualified open source projects.

Next Article in Bugs

QuickTime Flaws Torment Apple for Seventh Time This Year
November 06, 2007

For the seventh time this year, Apple has distributed a new set of patches for its QuickTime movie player -- both the Mac and PC versions. Unpatched versions of the utility could open the user up to a malware attack, the Mac maker said. The number of patches Apple has issued for QuickTime are unusually high for Apple, according to Mike Haro, senior security consultant at Sophos.

More by Chris Maxcer

The iPad's Cruel Teaser
March 09, 2010

The iPad ad that debuted on Sunday was remarkable in how many functions it managed to cram into just 30 seconds. Document creation, email, e-books, media viewing -- all that and more was demoed using just two hands and a hip soundtrack. However, the ad left quite a few important questions about the iPad unanswered.

The iPad Catalyst Will Light a Lot of Fires
March 02, 2010

I think we're going to get a lot of fantastic content options for mobile devices in 2010, even if you don't pony up for an iPad. While the iPad will likely be a raging success, it'll also help generate a market for alternatives. The question is, can we credit -- or blame -- the iPad for generating all this mobile action? Maybe not the iPad alone, but it's certainly the latest catalyst.

With Smut Ban, App Store Exposes a Jiggly Set of Rules
February 23, 2010

Apple's stance on risque iPhone and iPod touch apps is understandable, but the whole incident does underscore the App Store's frustratingly fickle nature. Apple should either draw up a precise, crystal-clear set of guidelines for app developers or just admit it's completely subjective -- "If we like it, it's in; if we don't, it's rejected." Right now, its policy seems to be somewhere in between.

[Search More...]