Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Linux/Open Source / Weeding Out Flaws in Open Source
Weeding Out Flaws in Open-Source Apps
Weeding Out Flaws in Open-Source Apps
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Under a contract with the U.S. Department of Homeland Security, Stanford University and Coverity are working to identify and fix potential security defects in open-source software projects. As part of the collaborative effort, Coverity announced this week a list of 11 open-source projects that it has now certified as secure and defect-free.

The list includes widely used applications, such as Perl, PHP, Samba, and Postfix, along with Amanda, NTP, OpenPAM, OpenVPN, Overdose, Python and TCL. All of the projects involved eliminating multiple classes of potential security vulnerabilities and quality defects from their code through the Coverity Scan site.

Coverity is a privately-held, San Francisco-based company that develops source-code analysis tools, and the Coverity Scan site was developed with support from Homeland Security as part of the federal government's "Open Source Hardening Project."

The site divides open source projects into different "rungs" based on the progress each project makes in resolving its defects. Projects at higher rungs receive access to additional analysis capabilities using the Coverity Prevent system.

Climbing the Ladder

On the basis of the latest test results, Coverity is advancing the 11 projects to "Rung 2" of its security ladder, the most secure level to date.

Projects at Rung 2 of the ladder have access to an upgrade of the Coverity Prevent system. So far, the company said, projects using the upgrade have reported an increase in the number of identified defects, with some finding as many as 100 defects more than identified in Rung 1.

Coverity said its Scan site currently analyzes 50 million lines of software in more than 250 projects and has helped fix over 7,500 software defects since the site's launch in March 2006.

Open-source projects analyzed at the site include some of the world's most widely used applications, including the Apache Web server, the Linux operating system, the Firefox Web browser, and the Samba file and printer sharing system.

Hardening Open Source

What does the focus and attention on hardening open source mean? Is it an indictment of open-source security or a government endorsement of open-source software? Brad Shimmin, an analyst at Current Analysis, said it's more the latter.

"In my mind, this initiative is not saying that open source is not secure enough to run mission-critical software," he said. "It's an understanding that open source -- unlike closed source -- can actually be improved by interested outside parties."

That points to the power of open source, said Shimmin, who noted that open-source software doesn't force companies to rely on a single vendor to assure the security and stability of the application.

Open-source software, he said, should be hardened and secured. "These are technologies that show up in every single Linux instance that's out on the market, and they are broadly utilized," he explained. "The government is working to help make open-source software better because they believe it's an option that they and others can benefit from."

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.