Open source software security improving

Open source software security improving

Summary: You cannot say something's good or bad unless you benchmark or compare it against something else. According to the Linus's Law, "given enough eyeballs, all bugs are shallow", a mentality which when combined with static code analysis of the most popular and widely used open source projects such as Firefox, Linux and PHP and benchmark it against 250 other open source projects, can truly make an impact.

SHARE:
TOPICS: Security
5

You cannot say something's good or bad unless you benchmark or compare it against something else. According to theOpen Source Security Report 2008 Linus's Law, "given enough eyeballs, all bugs are shallow", a mentality which when combined with static code analysis of the most popular and widely used open source projects such as Firefox, Linux and PHP and benchmark it against 250 other open source projects, can truly make an impact. Is open source software security improving? Coverity's recently released Open Source Report 2008, indicates it is.

Key summary findings of the report :

Findings are based on analysis of over 55 million lines of code on a recurring basis from more than 250 open source projects, representing 14,238 individual project analysis runs for a total of nearly 10 billion lines of code analyzed. In summary, this report contains the following findings:

- The overall quality and security of open source software is improving – Researchers at the Scan site observed a 16% reduction in static analysis defect density over the past two years

- Prevalence of individual defect types – There is a clear distinction between common and uncommon defect types across open source projects

- Code base size and static analysis defect count – Research found a strong, linear relationship between these two variables

- Function length and static analysis defect density – Research indicates static analysis defect density and function length are statistically uncorrelated

- Cyclomatic complexity and Halstead effort – Research indicates these two measures of code complexity are significantly correlated to codebase size

- False positive results – To date, the rate of false positives identified in the Scan databases averages below 14%

The most prevalent defect found in the study was the null-pointer dereference representing 27.95% of all defects, followed by resource leak, and the most commonly known buffer overflows comprising only 6% of the total issues identified. Perhaps the most valuable benefit out of the whole project is the fact that insecure coding practices would be easily spotted, and more awareness build on how to prevent this from happening. Consider going through the report, and include your open source software in the Scan project.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • There's no such thing as an open source software security problem...

    Didn't we all learn this already from our "trusted" zealots.
    transposeIT
    • For your information.....

      Something about open source security:
      http://ubuntutip.googlepages.com/security
      pjotr123
  • Since 1998

    AFAIK, I have never suffer3ed an exploit using Linux. I spend a lot of time on the internet, w/DSL, I am always connected, no AV or anything of that ilk. No scan disk, no defrag, no problems. No system hangs, no crashes, no BSOD. The trade off is that we had to learn some new stuff. It has been more than worth it!
    richdave
    • My experience since 2000

      is the same. Which means the Free Open Source devs have got to be doing something right.
      tracy anne
  • RE: Open source software security improving

    ewet dedim ama neyse
    http://www.bbgporn.com/
    http://www.hmmtube.com/
    dogru deme
    http://www.erotiktube.org/
    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam dedim
    myclub