"Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code's security. Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects. A total of 7826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that's being used in the review." Note: I just want to state for the record that the headline has not been written by me. I do like the total kicking-in-open-doors air surrounding it, though.
To read all comments associated with this story, please click here.
Member since:2005-07-06
I'm kidding. Mostly.
Heh. In all fairness though, BIND security has improved substantially over the last few years. Don't know about sendmail since I've abandoned it completely in favor of postfix and lately qmail again, now that it's got a workable license.
Member since:2005-07-08
Yeah, I also have to rise in the defense of BIND. One of my past jobs involved static code analysis for a large software project, and we were evaluating whether or not to license Coverity Prevent. In order to judge its merit, I was to select an open source project and compare the Coverity results to the those from another analysis tool that we'd been using for some time.
I initially picked BIND, since it's well-known and the defect rate from Coverity was very low. I figured it would be a good showcase for comparing the performance of the tools on high quality code. The problem was, when I ran the other tool on BIND, it hardly found any real defects at all. I was shocked. In order to produce more meaningful results, I settled on the FreeBSD kernel. That produced plenty of data.
During my time investigating BIND, I really liked what I saw. Most functions begin with a set of assertions. It has its own uber-paranoid memory allocator that's used universally across the codebase. BIND is a very solid piece of code. Respect.
Coverity Prevent is also an outstanding static analysis tool. Definitely the best out there by far. It's pretty damn expensive for proprietary projects (it can run several million dollars for a large codebase), but it's free (beer) for any free software project as long as Coverity is credited in the bug reports. Every free software project ought to be running Coverity as a part of their development and release processes. Most of the bigger projects like Linux and Apache have already been running it for years.
Member since:
2005-07-06
That figure does include some PHP. Did they include bind and sendmail as well? That would just be unfair.
I'm kidding. Mostly.