LAMP Lights the OSS Security Way

Kevin Young wrote to mention a ZDNet article which goes into some detail on new results from a Department of Homeland security initiative. It's called the 'Open Source Hardening Project', and (funded to the tune of $1.24 Million) the goals of the initiative are to use a commercial tool for source code analysis to buck up the security base of many OSS projects. LAMP (the conglomeration of Linux, Apache, MySQL, and PHP/Perl/Python) was a 'winner' in the eyes of the project. From the article: "In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, 'showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.'"

Old news

This is old news [serverwatch.com]:

Dupe

http://it.slashdot.org/article.pl?sid=06/03/04/145 3245 [slashdot.org]

Maybe I've been reading too much politics lately..

Maybe I've been reading too much politics news lately, but I'm just waiting for Microsoft to come out with a statement that people capable of evaluating Perl, PHP, and Python are biased in favor LAMP solutions.

I need to do something about my cynicism.

Re:Maybe I've been reading too much politics latel

Well, once you read this snippet from the article, they'll have enough ammo:

"There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."

I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

Re:Maybe I've been reading too much politics latel

I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

Spot on, as you can see on scan.coverity.com [coverity.com]:

• PHP features 205 defects for 431,327locs, or 0.475 defects/kloc
• Perl has 91 defects for 431,327locs, or 0.19 defects/kloc
• Python is very slightly lower than perl (but with a noticeably smaller codebase) at 49 defects for 259,908locs or 0.189 defects/kloc
• Apache-httpd features 32 defects in 127,817 locs, or 0.25 defect/klock

MySQL isn't featured (Ruby is also a noticeable absent), but PostgreSQL stands at 296 defects for 815,748 locs, or 0.363 defects/kloc, and the lightweight SQLite has 16 defects for 60,722 locs or 0.263 defect/klock.

Fucking LAMP.

I'm so sick of everyone making their software depend on MySQL. If you're software is any good it should be able to run on more then one DB, at least Postgres.

To me, MySQL is like the MS Access of the Open Source world.

Re:Fucking LAMP.

Several other aspects, such as table creation, column types, auto-increment variables, and stored procedures, have varying degrees of differences or support between the various databases such that in any sufficiently complex application you would need to write a separate copy of db interface code for every DBMS that you want to support.

There are open (and closed) source products that have dealt with these issues for years. Modern ORMs products handle all of these matters, and automatically provide translation between portable query languages (such as JDOQL) and high-performance vendor-specific SQL depending on the database you deploy on.

It is astonishing to see these matters still being discussed as if no solution exists!

Re:Fucking LAMP.

I'm sick of DB makers ignoring standards and making their SQL not 100% SQL99 compliant.

it's is pure bullcrap that MSSQL,Oracle,MySQL and PostgreSQL can not take the exact same complex query without having to rewrite it.

That is one of the big problems. the fact that some of my queries will not go cross platform because of stupidities thrown in by Microsoft, MYSQL, and Oracle that cause pain and suffering like this.

Re:Fucking LAMP.

Well, the GP didn't say what kind of undergraduate degree program he was in, so maybe it was on something very applied like "Database Administration" and you're right.

But if he's getting a Computer Science degree (which seems to be the plurality of students on /.), then his courses should *not* be emphasizing how the syntax for database A is different from the syntax for database B. The courses should be about higher level concepts (maybe replication, or normalization).

Re:Fucking LAMP.

Exactly. I didn't sign up to go to a trade school. I signed up to learn CS.

don't waste that $$$!

Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!

Re:don't waste that $$$!

Ah, but how many lines of code will it take to correct the bugs? and will those bugfixes themselves contain bugs?

Interested minds couldn't care less.

The LAMP devs _have_ to write secure code.

After all, that stuff's running most of the Internet.

Counting Defects

How can one ever count the defects/bugs per line?
And why count them, and then not remove them?
And one huge defect is better than more than one small ones?
Sounds like a crappy research to me, time to RTFA.

http://scan.coverity.com/ - highest/lowest

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

Just an FYI...AMANDA had the highest amount of bugs at 1.214 Defects / KLOC and OpenVPN the lowest at 0.100 Defects / KLOC.

YEAH RIGHT!

Also from the article: The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

Being someone who has used Amanda for many years and also XMMS, I find it hard to believe. Amanda has few problems (unless its the tape drive itself) and XMMS crashes sometimes when you just push a button in the "wrong way".

I think there can be a big difference between actual number of bugs and the perceived number of bugs. This almost makes counts like this useless for actually comparing software.

Umm... Way to go Department of Homeland Security?

I have to say, I'm suprised and impressed... a $1.2M grant to harden open source software? Thanks all seeing orwellian eyeball. I don't recall slashdot posting anything about the original grant but here's a link from the posted article to another about the funding [zdnetasia.com].

The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

0.00 defects per infinity lines of code

If an automated system can detect bugs in code, why can't it fix them automatically too?

No MySQL?

I noticed that on Coverity's demo page [coverity.com], there's no mention of MySQL. If they *do* scan MySQL for bugs, why not have it on the front page?

Test of Leaked Vista/IIS code

Researchers at clandestine research labs in bases hidden deep in the Russian Alps have attempted to analyze portions of the leaked Internet Information Server (IIS) and Windows Vista code for similar flaws.

The findings were remarkable. They found 4,669 flaws, but since they didn't have the source code it resulted in a divide-by-zero error when they calculated the statistics on their Excel spreadsheet. The error triggered an unheard-of lockup on their Windows XP desktop.

On a positive note, recovering from the error alerted them to the presence of 43 strains of the MyDoom virus, 257 instances of Alexis spyware, and a bootleg copy of "Making of the Britney Spears Sonogram".

RE: Automated bug finding

Of course this system from Coverity only checks for static source code bugs, and not run-time errors or semantic errors. And even then, not even necessarily real bugs, but "possible" bugs. Sounds more like FxCop than anything else. The real meat of this evaluation was probably done on the Symantec side, which was probably a laundry list of tests for known vulnerabilities.

LA - fine M - okay P - ah so many varieties!

The LAMP stack when broken down consists of:
Linux & Apache - rock solid stable releases.
MySql - Okay, getting better with each release.

P - This is the kicker. Perl, Python, PHP, and more so lately even that R one Ruby & Rails.
We are living in interesting times when we have so much choice... much like the Chinese curse. I do not see as how you can evaluate all of these platforms together in a general fashion. Where is the skew or bias in this study?

Someone on IRC recently was critical of a small website I put together in 2000. It was written in plain html, using frames *gasp*. Many people today do not realize how far web development has come since then.

Just Gnome?

What about KDE? icewm? XFce? Blackbox? KDE at the very minimum, I would think, was a significant oversight. And why FreeBSD? 'L' is for 'Linux'. It's not 'BAMP'. But so long as they were gonna test BSD, why not OpenBSD, the one that can't speak 3 sentences without yelling mentioning how secure it is? It's awesome to see the government do something like this, but I just have to wonder what their justification was for some of the things they picked.

what counts as a bug?

Did the article say what kinds of things the automated tool flagged as bugs?

Security is not a feature, security is design

Security is not a feature, security is design. This ultimely means that security should provide good default values, knowledge about how to prevent buffer underruns/overruns and most importantly knowledge how to use a system. This means that security only will need tools to help a system architect and developer to confront him with his limits of his human brain and have a well documented yet very simple concise system and low speed development cycles.

Open source is great because of the many eyes, knowledge sharing and having nothing to do with corporate tradeoffs (the users have the largest voice. But it stinks in the fact that any noob can make programs which are badly designed and are a serious risk to security, however someone may learn faster form the mindsharing in the open source world. To have a well concise system so much more is needed than just some bugfixes. OSS is just a proof that closed source coorporate software is not good with security, but it isn't proof of sound security.

Most interesting is OpenBSD with it's oustanding default values, it's very own high profile malloc which prevents coders for lot of buffer underrunes/overruns, outperforming other malloc implementations. It has a very high quality of manpages and if you want to do something then you have to RTFM. That's what security should be, other than some less known bugs. I would even suggest that it would be better in the name of security that people would use program derivation (which is a very concise way to do formal verification). PIE and all other solutions maybe look practical, but they don't solve the lacking attention for "secure by design".

Will Coverity contribute?

"The company did not give details on the scope of the flaws it found." After all that work reviewing a rather massive amount of code, are they not going to publish detailed results, or at least contact developers? They have their data for the study now. WTF?

From the lame-ass-metaphor dept.

"LAMP Lights the Way"?! Was Slashdot acquired by C|Net?

For the love of all that's holy, please drop the hackish high-school-newsletter headlines.

For the rest of us

What is there available for this kind of analysis that doesn't cost money to use?

Commercial metrics?

Do we have any metrics to compare this to Commercial software quality? I know thats a bit hard to answer, but I'm curious what this same tool has found when used on commercial code.

Maybe someone works for a company that used the tool on their code? Or some results have been published somewhere?

Hint to PHP devs

Add more linefeeds!!! ;)

bug reports?

17500000 lines of code, 0.434 bugs per 1000 lines, that makes 17500*0.434=7595 bugs, so where are the bugreports?

I hope they report all the bugs they found

I hope they report all the bugs they found in the source code with their automatic tools. Wow, once they fix all those bugs, there won't be any left, because obviously the tools found all the bugs that exist in the code, automatically, and didn't identify anything as a bug that wasn't one.

Same Math Error

Let's two different attempts to, say, parse XML are coded up. Let's further say one module is 1,000 lines of code and the other is 2,000 lines of code. Let's further suppose they have the exact same bugs, possibly resulting from a typo in the spec. The method used by Coverity would rate one version as being twice as buggy as the other. Indeed, the superior effort, the one that used only 1,000 lines of code, would be penalized for it's efficiency!

They keep on making the same mistake.

Free software

It's not really free software now that I'm being forced to pay for it.

more related

your post is also a dupe.

Re:Solaris

And it won't be long before Linux-zealots will start preemptively bashing Solaris to distract form the screaming shortcomings of their toy-OS. In fact, it will start in t 0.

Re:And for Windows XP?

If you were really pro open source, rather than anti-Microsoft, you'd probably not care.

Seriously, the "at least it's not Microsoft" argument shouldn't impress anybody. The desire to put out a superior product, period, should be motivation enough to undertake something along these lines.

Re:What about....

Parent: +1.33 (Sarcastic yet funny).

Re:Curious absence of OpenBSD/OpenSSH ...

a few regular committers to openbsd work at coverity

search the archives. it's explained