Coverity Reports Open Source Security Making Great Strides

Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. "Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL."

Re:

[Penguinisto (415985)]

Dude - I did NOT want to know about Hillary's Tatas...

(the mental image... holy crap what a bad evil mental image.... it's like the Janet Reno brain-sear of 1998 all friggin' over again!)

/P

Re:

[Teppic_52 (982950)]

You should have used sarcasm tags, you may not have got modded down then.

Re:

[desNotes (900643)]

Microsoft Troll...chek out his post history

Overdose

[PetiePooo (606423)]

What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...

Re:Overdose

[PetiePooo (606423)]

What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...

Ah, nevermind. Its a Yahoo! chat client. [sourceforge.net] I should have searched Sourceforge instead...

Re:

[UdoKeir (239957)]

Hmmm... posting that link ought to spike their project activity stats for a couple of days. ;-)

Re:

[jvlb (636475)]

Actually, I'd say there's a pretty good possibility the Gov't would ante up just as much, or more, to help fix MS vulns, if MS were as open and cooperative.

Dupe?

[hax0r_this (1073148)]

Is this story different than this one? [slashdot.org]

Re:Dupe?

[ashridah (72567)]

Yes. It has a positive bias in the title (pro open source) instead of a negative one. We want slashdot to be fair and impartial right....?

ash

Re:

[EvanED (569694)]

The other one isn't as blatant an advertisement for Coverity? ;-)

Anyone else

[Bloke down the pub (861787)]

Anyone else read that as "Coventry"? Bloody shit-hole, I went there once and nobody spoke to me.

Re:

[rickb928 (945187)]

No matter where you're from, somewhere else is a bloody shithole.

Except for my hometown. It's the elbow of the Earth. You can see the armpit from there.

Re:

[networkBoy (774728)]

You live in the sac metro area then?
-nB

Re:

[rickb928 (945187)]

Actually, a place in Maine... Looks a little like Vermont.

Dupe

[sethawoolley (1005201)]

Come on guys, didn't you notice this one a couple days ago?

http://it.slashdot.org/article.pl?sid=08/01/09/0027229 [slashdot.org]

173 Projects NOT being actively scanned

[gQuigs (913879)]

If you are involved in said projects, please contact coverity through the website and get involved. I don't see any reason why a project would not want to have this scan done.

Rung 0: http://scan.coverity.com/rung0.html [coverity.com]

Re:

[X0563511 (793323)]

At the bottom of the page:

If you have any questions or would like to suggest additional
projects to be added, please email [SNIP]

To get the snipped email, ROT-13 this: fpna-nqzva@pbirevgl.pbz

Re:

[by Anonymous Coward]

My project is one of the 173.

Coverity contacted me several months ago. I fixed every issue that they raised and informed them of such. They said thanks and I heard nothing more.

Now they say that my project is in "Rung 0" and they haven't responded to my efforts to contact them. So I really have no idea what is going on; whether they found something new (and unknown to me), or that I'm supposed to be doing something that I haven't done, or what.

Experience with Nmap

[katterjohn (726348)]

I've been working with Nmap for nearly 2 years now; I went over a Coverity scan of the Nmap source code and fixed many possible bugs (mostly NULL dereferences). Coverity has a great interface and documented the bugs well.

Re:

[kclittle (625128)]

> Oh right, that was just bs from a bunch of zealots.

No, that was wise advise from a bunch of humans. But, wise as they might be, if they handed me code they themselves had written, following their own principles, I'd *still* run Coverity over it.

Re:

[hax0r_this (1073148)]

This is exactly why its more secure by design. Its hard to go through the source if you don't have it.

Any real effect?

[hey (83763)]

I wonder if this fixes will make any difference in the real world.
I use most of those program and they are already 100% reliable for me.

Re:

[Secrity (742221)]

These bugs are not normally noticeable by the user, but some of the bugs may be exploitable.

Re:

[chromatic (9471)]

Some of the bugs I've fixed could have been crashers in certain circumstances. They were unlikely cases, but they had potential unpleasantness.

Reliability vs security.

[argent (18001)]

Reliability is an indication that certain kinds of security flaws are less likely, yes, but... oh, here, have an analogy on me... your car has never accidentally shifted into reverse, I would assume. Does that tell you anything about whether you can pop the trunk open by whacking the bumper in the right place?

Re:

[iabervon (1971)]

Most of the flaws that Coverity finds are not bugs in the sense of cases where the code does the wrong thing. They are more often areas where the code works as written, but is misleading in some way, such that people working on the code are likely to introduce crashes.

A lot of other flaws they find are cases in which the program crashes cleanly (by dereferencing NULL) in some error case instead of reporting the error. Depending on what sort of program it is and what sort of data error is required to reach t

Update on the article is posted

[ivoras (455934)]

There's an update on the article here: http://www.informationweek.com/blog/main/archives/2008/01/oops_look_at_th.html [informationweek.com] See also http://lists.freebsd.org/pipermail/freebsd-hackers/2008-January/022854.html [freebsd.org] for discussion on FreeBSD.

Is the Coverity toolkit also open source?

[phatvw (996438)]

Seems ironic that you'd test and certify open source software with closed source test code.
So where can you download the source code for the Prevent suite and all its plugins?

The freebsd projects scanner

[reiisi (1211052)]

TFriendlyA mentions that the freebsd project uses it's own scanner, and the author of the article seems to think it's a variant of Prevent.

Looking up Prevent on wikipedia indicates that Prevent SQS was derived from the Stanford Checker.

http://en.wikipedia.org/wiki/Coverity [wikipedia.org]

Re:

[INT_QRK (1043164)]

This is a huge point! Thank you! So, if DHS would perhaps consider funding, supporting, encouraging, sponsoring, etc., an Open Source project for a software assurance tool set, then such a product could be backed by rigorous peer review from the FLOSS community as well as academia to better ensure validity and continuous improvement. Perhaps Federally Funded Research and Development (FFRDC) Cennters such as Carnegie-Mellon's Software Engineering Institute (SEI) could even be funded for full time CM and repo

Now if only Coverity would release some code..

[Deanalator (806515)]

A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

If DHS spent its money on investing in high quality static analysis plugins for modern (free) development environments, then you would catch all of the old mistakes, and make sure that they did not happen in the future. I just get annoyed when I see how much money goes to these companies whose only concern is treating the symptoms, not the cause, of poor security standards in software development.

Re:

[epine (68316)]

Coverity is doing what all the firewall vendors do, self-inventing threats and then focusing all the dialog on count statistics. It's almost impossible to find coverage on Coverity in terms of what classes of bugs they detect, and the relative importance of the bugs they find. How many are of the "oh my god" variety? I would hazard a guess somewhere between 1 and 5 percent. This is not a number Coverity wishes to see tracked in public forums, as their effort to inflate total bug counts will inevitably d

Re:

[nous (62496)]

A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

i have

open source vs. closed source security

[solinym (1215798)]

I've collected some arguments about the security of open-source vs. closed source in my online book called "security concepts":

http://www.subspacefield.org/security/security_concepts.html#tth_sEc24.5 [subspacefield.org]

If I've missed any - or if you have any other suggestions - please email me.

I feel like a bit of a whore for posting links to my own ebook, but whores actually get paid. My book is free, so I guess that just makes me a slut. ;-)

Re:

[Sanat (702)]

Thanks for sharing the information on Security concepts. It looks nice so far (haven't read it all yet) and it says some things in succinct ways that I have always had a difficult time putting into words.

This document is note worthy and is worth a look.

ehm

[towsonu2003 (928663)]

I'm a bit more interested in who were the least in fixing their bugs...