Coverity Reports Open Source Security Making Great Strides

Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. "Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL."

Dupe?

[hax0r_this]

Is this story different than this one? [slashdot.org]

Dupe

[sethawoolley]

Come on guys, didn't you notice this one a couple days ago?

http://it.slashdot.org/article.pl?sid=08/01/09/0027229 [slashdot.org]

173 Projects NOT being actively scanned

[gQuigs]

If you are involved in said projects, please contact coverity through the website and get involved. I don't see any reason why a project would not want to have this scan done.

Rung 0: http://scan.coverity.com/rung0.html [coverity.com]

Experience with Nmap

[katterjohn]

I've been working with Nmap for nearly 2 years now; I went over a Coverity scan of the Nmap source code and fixed many possible bugs (mostly NULL dereferences). Coverity has a great interface and documented the bugs well.

Update on the article is posted

[ivoras]

There's an update on the article here: http://www.informationweek.com/blog/main/archives/2008/01/oops_look_at_th.html [informationweek.com] See also http://lists.freebsd.org/pipermail/freebsd-hackers/2008-January/022854.html [freebsd.org] for discussion on FreeBSD.

open source vs. closed source security

[solinym]

I've collected some arguments about the security of open-source vs. closed source in my online book called "security concepts":

http://www.subspacefield.org/security/security_concepts.html#tth_sEc24.5 [subspacefield.org]

If I've missed any - or if you have any other suggestions - please email me.

I feel like a bit of a whore for posting links to my own ebook, but whores actually get paid. My book is free, so I guess that just makes me a slut. ;-)

Re:Any real effect?

[iabervon]

Most of the flaws that Coverity finds are not bugs in the sense of cases where the code does the wrong thing. They are more often areas where the code works as written, but is misleading in some way, such that people working on the code are likely to introduce crashes.

A lot of other flaws they find are cases in which the program crashes cleanly (by dereferencing NULL) in some error case instead of reporting the error. Depending on what sort of program it is and what sort of data error is required to reach that point, it may not matter (e.g., if there's some weird thing the user can do that crashes their mail client, it's not a big deal, because anyone who could do that could also just tell it to quit). But, again, reasonable changes to the code could expose this as a real problem, and having these flaws means that the description of the state of the program that the programmer has to keep in mind in order to only make correct changes is more complicated, and the intended behavior of the program is harder to pick out from the actual code.

And then, of course, there are real issues that they're finding, and these are often difficult to distinguish automatically from things that are just badly written, and it's better to just fix everything that's wrong rather than trying to determine how wrong it is.