[Infowarrior] - Open-source security moves to next step
Richard Forno
rforno at infowarrior.org
Sat Jan 12 14:15:31 UTC 2008
Open-source security moves to next step
By Peter Judge
http://www.news.com/Open-source-security-moves-to-next-step/2100-1002_3-6225
700.html
Story last modified Fri Jan 11 09:35:10 PST 2008
Source code analysis expert Coverity has found and helped fix more than
7,500 security flaws in open-source software, and published a list of the 11
open-source projects working fastest to sort them out.
The work is part of a U.S. government-backed project to harden open-source
code.
"We applaud the developers responsible for the 11 open-source projects that
have advanced to the second rung of code security and quality," said David
Maxwell, open-source strategist for Coverity.
The Open Source Hardening Project, sponsored by the U.S. Department of
Homeland Security, uses Coverity's Scan, which grades projects on a "ladder"
according to their progress at fixing and preventing flaws.
Eleven projects have been awarded the newly announced status of Rung 2,
including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP,
Postfix, Python, Samba, and TCL. According to Coverity, this new development
means users will be able to "select these open-source applications with even
greater confidence."
Several other projects are expected to advance to Rung 2 over the next few
months. The Open Source Hardening Project began in January 2006 and was
expanded early in 2007 to cover a list of 150 projects.
Coverity uses static source-code analysis to spot errors in code, such as
open brackets. Projects on Rung 2 will move on to use the company's
"satisfiability" techniques, which use a bit-accurate representation of a
software system, translating every relevant software operation into Boolean
values (true and false) and Boolean operators (such as and, not, or).
Coverity claims this type of analysis is a first in commercial programming
and is able to spot hundreds more bugs than the tools available on Rung 1.
Although the project is clearly improving the security of open-source
software, some have expressed concern that coverage of its results may
produce bad publicity in the form of headlines about security flaws in
open-source software.
Peter Judge of ZDNet UK reported from London.
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved.
More information about the Infowarrior
mailing list