Great Debate 11am ET/8am PT PC homebrewing and white-boxing: Dead or alive?

Topic: Security

Open source software security improving

Summary: You cannot say something's good or bad unless you benchmark or compare it against something else. According to the Linus's Law, "given enough eyeballs, all bugs are shallow", a mentality which when combined with static code analysis of the most popular and widely used open source projects such as Firefox, Linux and PHP and benchmark it against 250 other open source projects, can truly make an impact.

Dancho Danchev

By for Zero Day |

You cannot say something's good or bad unless you benchmark or compare it against something else. According to theOpen Source Security Report 2008 Linus's Law, "given enough eyeballs, all bugs are shallow", a mentality which when combined with static code analysis of the most popular and widely used open source projects such as Firefox, Linux and PHP and benchmark it against 250 other open source projects, can truly make an impact. Is open source software security improving? Coverity's recently released Open Source Report 2008, indicates it is.

Key summary findings of the report :

Findings are based on analysis of over 55 million lines of code on a recurring basis from more than 250 open source projects, representing 14,238 individual project analysis runs for a total of nearly 10 billion lines of code analyzed. In summary, this report contains the following findings:

- The overall quality and security of open source software is improving – Researchers at the Scan site observed a 16% reduction in static analysis defect density over the past two years

- Prevalence of individual defect types – There is a clear distinction between common and uncommon defect types across open source projects

- Code base size and static analysis defect count – Research found a strong, linear relationship between these two variables

- Function length and static analysis defect density – Research indicates static analysis defect density and function length are statistically uncorrelated

- Cyclomatic complexity and Halstead effort – Research indicates these two measures of code complexity are significantly correlated to codebase size

- False positive results – To date, the rate of false positives identified in the Scan databases averages below 14%

The most prevalent defect found in the study was the null-pointer dereference representing 27.95% of all defects, followed by resource leak, and the most commonly known buffer overflows comprising only 6% of the total issues identified. Perhaps the most valuable benefit out of the whole project is the fact that insecure coding practices would be easily spotted, and more awareness build on how to prevent this from happening. Consider going through the report, and include your open source software in the Scan project.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion

  • There's no such thing as an open source software security problem...

    Didn't we all learn this already from our "trusted" zealots.
    transposeIT
    Reply Vote

    • For your information.....

      Something about open source security:
      http://ubuntutip.googlepages.com/security
      pjotr123
      Reply Vote

  • Since 1998

    AFAIK, I have never suffer3ed an exploit using Linux. I spend a lot of time on the internet, w/DSL, I am always connected, no AV or anything of that ilk. No scan disk, no defrag, no problems. No system hangs, no crashes, no BSOD. The trade off is that we had to learn some new stuff. It has been more than worth it!
    richdave
    Reply Vote

    • My experience since 2000

      is the same. Which means the Free Open Source devs have got to be doing something right.
      tracy anne
      Reply Vote

  • RE: Open source software security improving

    According to the Linuss Law, given enough eyeballs, all bugs are shallow, a mentality which when combined with static code analysis of the most popular and widely used open source projects such as Firefox, Linux and PHP and benchmark<a href="http://ipadbagblog.com/"><font color="white"> k</font></a><a href="http://www.sutudeg.org/"><font color="white"> l</font></a>
    edward polling
    Reply Vote

    • RE: Open source software security improving

      @edward polling have never suffer3ed an exploit using Linux. I spend a lot of time on the internet, w/DSL, I am always <font color="light&amp;height"></font></a><a href="http://www.revivalymaske.com/"><font color="light&amp;height">pembe maske</font></a> <font color="light&amp;height"></font></a><a href="http://www.energybalancebileklik.com/"><font color="light&amp;height">energy balance</font></a> <font color="light&amp;height"></font></a><a href="http://www.oynaoyunu.com/"><font color="light&amp;height">oyna oyunu</font></a> <font color="light&amp;height"></font></a><a href="http://www.moliva.web.tr/"><font color="light&amp;height">moliva</font></a> <font color="light&amp;height"></font></a><a href="http://www.orjinkrem.net/"><font color="light&amp;height">orjin krem</font></a> <font color="light&amp;height"></font></a><a href="http://www.tutunesun.web.tr/"><font color="light&amp;height">tutune son</font></a><font color="light&amp;height"></font></a><a href="http://www.nanomatik.gen.tr/"><font color="light&amp;height">nanomatik</font></a> <font color="light&amp;height"></font></a><a href="http://www.complex41.net/"><font color="light&amp;height">complex 41</font></a> <font color="light&amp;height"></font></a><a href="http://www.fx15new.com/"><font color="light&amp;height">new fx15</font></a>connected, no AV or anything of that ilk. No scan disk, no defrag, no problems. No system hangs, no crashes, no BSOD. The trade off is that we had to learn some new stuff. It has been more than worth it!
      gaberdiye03
      Reply Vote

  • RE: Open source software security improving

    ewet dedim ama neyse
    http://www.bbgporn.com/
    http://www.hmmtube.com/
    dogru deme
    http://www.erotiktube.org/
    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam dedim
    myclub
    Reply Vote

  • RE: Open source software security improving

    I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate!<a href="http://nccma.com">nccma</a> <a href="http://coolerkings.com">cooler</a>
    MACKENZI
    Reply Vote

  • RE: Open source software security improving

    I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing <a href="http://the-ishop.com">the i shop</a> <a href="http://abatwa.com">abatwa</a>
    PEARLINEI
    Reply Vote

  • RE: Open source software security improving

    I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post.<a href="http://power28.com">power</a> <a href="http://sagesinc.com">sa</a> <a href="http://iloveshoping.net">shop</a>
    RHIANNONA
    Reply Vote

  • RE: Open source software security improving

    I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper <a href="http://easy-wheels.com/">wheel</a> <a href="http://pbcars.com/">car</a> <a href="http://com69.net">com</a> <a href="http://cadburry.com">bury</a>
    SATURNINA
    Reply Vote

  • RE: Open source software security improving

    Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board.<a href="http://vintagesnapbackhatsfan.com">z</a><a href="http://bestsolidstatedrive.net">d</a><a href="http://b2days.com/">n</a><a href="http://b2wp.com/">e</a><a href="http://buy-sell-cheap.com/">t</a> <a href="http://sellcheap.net/">t</a><a href="http://newsoftwarepc.com/">h</a><a href="http://bestlaptoppcreviews.com/">a</a><a href="http://buyfurniturefreeshipping.com/">n</a><a href="http://cheapclothingstoresonline.com/">k</a> Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
    TOCCAR
    Reply Vote

  • RE: Open source software security improving

    Thanks nice info <a href="http://buyboxinggloves.net/">z</a><a href="http://buygemicrowave.com/">d</a><a href="http://cheapweldingsupplies.com/">n</a><a href="http://cheapcarcareproducts.com/">e</a><a href="http://cheapluggageforsale.com/">t</a> I really liked your current article write more..let me add you to its favorite The articles you have on zdnet <a href="http://mlbshopgiants.com/">s</a><a href="http://best3dtvavailable.com/">i</a><a href="http://lampsplusstorelocator.com/">t</a><a href="http://discountperfumewebsites.com/">e</a> are always so enjoyable to read. Good work and I bookmarked it.
    MCKNIGH
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close