Bug Ferret Gives Linux High Grades

A company that makes a tool for finding bugs in software code disclosed this week that the Linux kernel is far less flawed than many programs people pay money for.

According to San Francisco-based Coverity, its source-code auditing tool found the Linux 2.6 kernel had 985 bugs in its 5.7 million lines of code. The typical commercial software program averages bug densities from 10 to 20 flaws per 1000 lines of code, explained Coverity CEO Seth Hallem.

He maintained that there is a relationship between how buggy a program is and how secure it is from hacker attacks. “Almost any bug that can be triggered by a user from the outside — and, honestly, almost every bug can — is a security vulnerability,” Hallem told LinuxInsider.

Linux Versus Windows Security

“To say that there are less bugs in Linux code than there are in your average commercial software means that Linux has a higher level of security because there are fewer of these latent problems that a user from the outside could potentially trigger,” he said.

The Coverity analysis is sure to throw kerosene on the heated debate over the security merits of Linux over Windows. Asked if Coverity’s data showed that Linux was less prone to security vulnerabilities than Microsoft’s operating system, Hallem replied, “Our analysis does not indicate that.”

He added that he could not say that Linux is more secure than Windows without running Microsoft’s code through Coverity’s audit tool. “Because of the closed source arrangement that Microsoft has, I can’t see that source code,” he said.

More Attacks on Windows

A Microsoft spokesperson, who requested anonymity, noted to LinuxInsider via e-mail: “Microsoft respects the work done by Coverity but cannot support the validity of the test results until we can conduct further investigation of the methodologies and variables involved in the testing process.”

“It is important to note that Coverity’s research did not analyze Windows and Windows was not a part of their bug comparison,” the spokesperson added.

“My feeling is that we really don’t know if one operating system is more secure than another,” Jeffrey Wade, Linux marketing communication manager at HP in Palo Alto, California, said.

He pointed out that Windows is the focus of attacks more frequently than any other operating system. “It stands to reason that we’re going to see more issues there because that’s where the focus is,” he reasoned. “If we saw that same intensity of focus on Linux, we’d see issues and problems there as well.”

People Problem

Whether one operating system is inherently more secure than another can be a misleading measure to users, according to Laura DiDio, senior analyst for the Yankee Group in Boston. “Software, no matter how secure you make it, is only going to be as secure or good as the people who are configuring it, managing it and deploying it,” she said.

While security is important, Wade observed, its influence on buyers appears to be marginal. “We support multiple operating systems as a strategy for our company,” he said. “By and large, security is not discouraging customers from deploying solutions on one operating system over another.”

Hallem observed that the Linux kernel is vastly improved from four years ago when he and his colleagues began developing their tool for auditing flaws in source code. “Our tool was much more primitive at that time and the Linux code base was much earlier in its development and smaller, but we still found defect densities eight times what they are now,” he explained.

Wade added: “The maturity of the folks contributing to Linux now is very high. And the development community over the last several years have employed practices and procedures that are making the development process much more mature than it has been.”