Coverity Reports Open Source Security Making Great Strides 48
Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. "Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL."
Dupe? (Score:3, Informative)
Dupe (Score:2, Informative)
http://it.slashdot.org/article.pl?sid=08/01/09/0027229 [slashdot.org]
173 Projects NOT being actively scanned (Score:3, Informative)
Rung 0: http://scan.coverity.com/rung0.html [coverity.com]
Experience with Nmap (Score:4, Informative)
Update on the article is posted (Score:5, Informative)
open source vs. closed source security (Score:3, Informative)
http://www.subspacefield.org/security/security_concepts.html#tth_sEc24.5 [subspacefield.org]
If I've missed any - or if you have any other suggestions - please email me.
I feel like a bit of a whore for posting links to my own ebook, but whores actually get paid. My book is free, so I guess that just makes me a slut. ;-)
Re:Any real effect? (Score:3, Informative)
A lot of other flaws they find are cases in which the program crashes cleanly (by dereferencing NULL) in some error case instead of reporting the error. Depending on what sort of program it is and what sort of data error is required to reach that point, it may not matter (e.g., if there's some weird thing the user can do that crashes their mail client, it's not a big deal, because anyone who could do that could also just tell it to quit). But, again, reasonable changes to the code could expose this as a real problem, and having these flaws means that the description of the state of the program that the programmer has to keep in mind in order to only make correct changes is more complicated, and the intended behavior of the program is harder to pick out from the actual code.
And then, of course, there are real issues that they're finding, and these are often difficult to distinguish automatically from things that are just badly written, and it's better to just fix everything that's wrong rather than trying to determine how wrong it is.