PHP, Python, Samba get security tick of approval

Perl, PHP, Python and Samba have been commended for improving security in a report analysing over 250 open-source projects.

Perl, PHP, Python and Samba have been commended for improving security in a report analysing over 250 open-source projects.

The Scan Report on Open Source Software 2008 by vendor Coverity has found the number of defective lines of code in open source software has decreased in the past two years. According to Coverity, which analyses open source software as part of the US Department of Homeland Security's open source software hardening project, fewer lines of defective code means the overall quality and security of the software is improving.

To gain an overall picture of how secure open source software is, the report looked at the density of defective lines per project in 250 open-source projects, including Firefox, Linux, PHP, Python and Samba.

In 2006, there was roughly one defect per 3,333 lines of code across all projects. The latest report finds the figure has decreased to one defect per 4,000 lines of code, translating into a 16 per cent reduction in "static analysis defect density".

Open-source projects Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba and TCL were commended in the report for its developers' elimination of "multiple classes of potential security vulnerabilities" from their code.

The most common flaw found were "Null Pointer Deference" vulnerabilities, which accounted for 28 per cent of all flaws detected.

Open vs closed source security debate continues
The debate whether open source or closed source software will not be settled by this report, according to Coverity, "primarily due [to] the difficulty involved in obtaining comparable datasets" for closed source software.

Open source software has been rejected by some Australian government CIOs, such as the ATO's Bill Gibson, for an apparent inability to vet the software and a preference for relying on vendors to ensure the safety of products.

"We would need to make sure that we are very comfortable — through some form of technical scrutiny — of what is inside such a product so that there is nothing unforeseen there... I realise that these risks exist even in proprietary code, however, there is a vendor's reputation that helps protect [you and] provide that assurance," said Gibson.

Linux Australia president and software engineer for Sun, Stewart Smith, disagreed with Gibson: "With all due respect to the person who said that, you can't trust closed source software because you can't review the code," he told ZDNet.com.au.

"The difference with open source software is that references are public, so you can read how a decision came about. The problem with closed source is that it could be anyone inside the multinational corporation that could put code in there and users on the outside don't know and can't see the quality of the code review," he added.

However, open-source code reviews have hit the headlines recently, after the Debian SSL debacle. Security analysts blamed poor code review processes for the predictable encryption keys being generated for several years.

"Four or five things went wrong, but it all managed to go wrong at the same time and accumulated to something that was drastic. That was a whole bunch of bad luck and a lot of soul searching is going on now to look at how not to allow that to happen again? But the fact is, it's being dealt with openly, and it's very much about fixing the problem... not about hiding anything," Smith said.