Linked by Thom Holwerda on Wed 9th Jan 2008 22:34 UTC, submitted by vermaden
"Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code's security. Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects. A total of 7826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that's being used in the review." Note: I just want to state for the record that the headline has not been written by me. I do like the total kicking-in-open-doors air surrounding it, though.
Permalink for comment 295137
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2005-07-06
What I find interesting is how this is labelled news when it is confirming what is common knowledge.
The issue isn't necessarily the number of bugs but the speed in which they are fixed, the speed in which the fixes are made available, and when there are security issues, the speed in which structural problems are addressed.
Anyone remember around 2 years ago KHTML went through a spate of security problems so over Christmas one year, one of the developers (on his holiday) did a complete code audit there were some development procedure changes etc. etc. lets remember, these weren't serious security issues, but the developers were proactive enough to bite it in the butt before it became worse. Here we are, 2 years later, with a very secure and stable KHTML/Webkit.
The problem is, however, is that many companies don't want to do the above; what is easier - fixing a problem correctly which might set them back several thousand, or simply continuing to patch which is cheaper (but later offset by a buggy, complex, ugly code based to maintain)? that is the issue at hand.