Class digs into software flaws

Hot on the heels of the previous story about Linux kernel bugs, Daniel J. Bernstein's UNIX Security Holes class has uncovered a number of security flaws in application software for nix systems.

Bernstein, probably best known for qmail and his qmail security guarantee, assigned his students the task of finding 10 security flaws in nix software. That's 10 per student, not for the entire class. (I'm happy I didn't have to pass this class to get out of college...)

A total of 44 security holes were found by the class, mostly in add-on applications that are not part of a core system. Browsing through the list, it looks like applications used to convert files from one format to another are particularly problematic. The slides for his class make for interesting reading, if you're into that sort of thing.

Of course, this doesn't really say much about the relative security of open source or nix systems in general, does it? Given a handful of graduate students, 44 security holes were found in a handful of programs in the course of a semester. Since Bernstein's assignment was for each student to find 10 security holes, it looks like his students found far fewer security holes than he expected. When one takes into consideration that there are only around 200 security advisories for the entire Debian Project in 2004, it seems like something of an unfair assignment.