San Francisco-based security firm Coverity has been working with support from the U.S. Department of Homeland Security (DHS) and with Stanford University to find flaws in open source software, and it looks like they’ve found plenty.
Since March 2006, an online Coverity software scanning site has analyzed 50 million lines of software in more than 250 projects, which ultimately led to 7,500 software defect fixes, 6,000 of which occurred in the first year.
The scanning comes courtesy of a DHS grant that’s part of the federal government’s Open Source Hardening Project. The project is designed to make open source software more secure for businesses and government agencies that utilize it.
Movin’ On Up
More importantly, Coverity announced this week that 11 popular open source projects have graduated to “rung 2” of Coverity’s open source security ladder, which means basic security vulnerabilities have been fixed and the developers of the project have built up experience with Coverity’s Prevent toolset. At rung 2, the open source projects will benefit from more thorough testing using Coverity’s upgraded scanning solutions, which can root out hard-to-find defects.
The 11 projects are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba and TCL.
“We applaud the developers responsible for the 11 open source projects that have advanced to the second rung of code security and quality at the Coverity Scan site,” noted David Maxwell, open source strategist for Coverity.
In addition to the 11 projects, additional open source projects are poised for advancing to rung 2 over the next months.
Open source projects analyzed at the site include some of the world’s most widely used applications, including the Apache Web server, the Linux operating system, the Firefox browser and the Samba file and printer sharing system, Coverity said.
The company noted that hundreds of open source developers have integrated the use of Coverity’s technology into their open source development process to improve software quality and security.
The obvious question is, are open source projects more likely to have security weaknesses than commercial software?
“The research varies. Closed source software advocates will tell you that the lack of available source code as well as commercial interests result in more secure products, while open source software advocates will tell you that many eyes make for shallow bugs, and that patch speed is dramatically increased,” Stephen O’Grady, an analyst for RedMonk, told LinuxInsider.
“Ultimately, my view is that all software — closed or open — will have vulnerabilities. But nothing I’ve seen has led me to believe that open source software is intrinsically less secure,” he added.
The Coverity Scan site is freely available to qualified open source projects.