Under a contract with the U.S. Department of Homeland Security, Stanford University and Coverity are working to identify and fix potential security defects in open-source software projects. As part of the collaborative effort, Coverity announced this week a list of 11 open-source projects that it has now certified as secure and defect-free.
The list includes widely used applications, such as Perl, PHP, Samba, and Postfix, along with Amanda, NTP, OpenPAM, OpenVPN, Overdose, Python and TCL. All of the projects involved eliminating multiple classes of potential security vulnerabilities and quality defects from their code through the Coverity Scan site.
Coverity is a privately-held, San Francisco-based company that develops source-code analysis tools, and the Coverity Scan site was developed with support from Homeland Security as part of the federal government's "Open Source Hardening Project."
The site divides open source projects into different "rungs" based on the progress each project makes in resolving its defects. Projects at higher rungs receive access to additional analysis capabilities using the Coverity Prevent system.
Climbing the Ladder
On the basis of the latest test results, Coverity is advancing the 11 projects to "Rung 2" of its security ladder, the most secure level to date.
Projects at Rung 2 of the ladder have access to an upgrade of the Coverity Prevent system. So far, the company said, projects using the upgrade have reported an increase in the number of identified defects, with some finding as many as 100 defects more than identified in Rung 1.
Coverity said its Scan site currently analyzes 50 million lines of software in more than 250 projects and has helped fix over 7,500 software defects since the site's launch in March 2006.
Open-source projects analyzed at the site include some of the world's most widely used applications, including the Apache Web server, the Linux operating system, the Firefox Web browser, and the Samba file and printer sharing system.
Hardening Open Source
What does the focus and attention on hardening open source mean? Is it an indictment of open-source security or a government endorsement of open-source software? Brad Shimmin, an analyst at Current Analysis, said it's more the latter.
"In my mind, this initiative is not saying that open source is not secure enough to run mission-critical software," he said. "It's an understanding that open source -- unlike closed source -- can actually be improved by interested outside parties."
That points to the power of open source, said Shimmin, who noted that open-source software doesn't force companies to rely on a single vendor to assure the security and stability of the application.
Open-source software, he said, should be hardened and secured. "These are technologies that show up in every single Linux instance that's out on the market, and they are broadly utilized," he explained. "The government is working to help make open-source software better because they believe it's an option that they and others can benefit from."