Forgot your password?
typodupeerror
Security Software

Coverity Reports Open Source Security Making Great Strides 48

Posted by ScuttleMonkey
from the patting-yourself-on-the-back dept.
Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. "Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL."
This discussion has been archived. No new comments can be posted.

Coverity Reports Open Source Security Making Great Strides

Comments Filter:
  • What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...
  • Dupe? (Score:3, Informative)

    by hax0r_this (1073148) on Friday January 11, 2008 @05:55PM (#22005890)
    Is this story different than this one? [slashdot.org]
  • Anyone else (Score:5, Funny)

    by Bloke down the pub (861787) on Friday January 11, 2008 @05:55PM (#22005896)
    Anyone else read that as "Coventry"? Bloody shit-hole, I went there once and nobody spoke to me.
  • Dupe (Score:2, Informative)

    by sethawoolley (1005201)
    Come on guys, didn't you notice this one a couple days ago?

    http://it.slashdot.org/article.pl?sid=08/01/09/0027229 [slashdot.org]

  • by gQuigs (913879) on Friday January 11, 2008 @06:00PM (#22005992) Homepage
    If you are involved in said projects, please contact coverity through the website and get involved. I don't see any reason why a project would not want to have this scan done.

    Rung 0: http://scan.coverity.com/rung0.html [coverity.com]
    • by X0563511 (793323)
      At the bottom of the page:

      If you have any questions or would like to suggest additional
      projects to be added, please email [SNIP]


      To get the snipped email, ROT-13 this: fpna-nqzva@pbirevgl.pbz
    • Re: (Score:1, Interesting)

      by Anonymous Coward
      My project is one of the 173.

      Coverity contacted me several months ago. I fixed every issue that they raised and informed them of such. They said thanks and I heard nothing more.

      Now they say that my project is in "Rung 0" and they haven't responded to my efforts to contact them. So I really have no idea what is going on; whether they found something new (and unknown to me), or that I'm supposed to be doing something that I haven't done, or what.
  • Experience with Nmap (Score:4, Informative)

    by katterjohn (726348) on Friday January 11, 2008 @06:06PM (#22006112)
    I've been working with Nmap for nearly 2 years now; I went over a Coverity scan of the Nmap source code and fixed many possible bugs (mostly NULL dereferences). Coverity has a great interface and documented the bugs well.
  • I wonder if this fixes will make any difference in the real world.
    I use most of those program and they are already 100% reliable for me.
    • by Secrity (742221)
      These bugs are not normally noticeable by the user, but some of the bugs may be exploitable.
    • by chromatic (9471)

      Some of the bugs I've fixed could have been crashers in certain circumstances. They were unlikely cases, but they had potential unpleasantness.

    • Reliability is an indication that certain kinds of security flaws are less likely, yes, but... oh, here, have an analogy on me... your car has never accidentally shifted into reverse, I would assume. Does that tell you anything about whether you can pop the trunk open by whacking the bumper in the right place?
    • Re: (Score:3, Informative)

      by iabervon (1971)
      Most of the flaws that Coverity finds are not bugs in the sense of cases where the code does the wrong thing. They are more often areas where the code works as written, but is misleading in some way, such that people working on the code are likely to introduce crashes.

      A lot of other flaws they find are cases in which the program crashes cleanly (by dereferencing NULL) in some error case instead of reporting the error. Depending on what sort of program it is and what sort of data error is required to reach t
  • by ivoras (455934) <ivoras@nosPAm.fer.hr> on Friday January 11, 2008 @07:27PM (#22007462) Homepage
    There's an update on the article here: http://www.informationweek.com/blog/main/archives/2008/01/oops_look_at_th.html [informationweek.com] See also http://lists.freebsd.org/pipermail/freebsd-hackers/2008-January/022854.html [freebsd.org] for discussion on FreeBSD.
  • Seems ironic that you'd test and certify open source software with closed source test code.
    So where can you download the source code for the Prevent suite and all its plugins?
    • TFriendlyA mentions that the freebsd project uses it's own scanner, and the author of the article seems to think it's a variant of Prevent.

      Looking up Prevent on wikipedia indicates that Prevent SQS was derived from the Stanford Checker.

      http://en.wikipedia.org/wiki/Coverity [wikipedia.org]
    • by INT_QRK (1043164)
      This is a huge point! Thank you! So, if DHS would perhaps consider funding, supporting, encouraging, sponsoring, etc., an Open Source project for a software assurance tool set, then such a product could be backed by rigorous peer review from the FLOSS community as well as academia to better ensure validity and continuous improvement. Perhaps Federally Funded Research and Development (FFRDC) Cennters such as Carnegie-Mellon's Software Engineering Institute (SEI) could even be funded for full time CM and repo
  • by Deanalator (806515) <pierce403@gmail.com> on Friday January 11, 2008 @08:22PM (#22008192) Homepage
    A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

    If DHS spent its money on investing in high quality static analysis plugins for modern (free) development environments, then you would catch all of the old mistakes, and make sure that they did not happen in the future. I just get annoyed when I see how much money goes to these companies whose only concern is treating the symptoms, not the cause, of poor security standards in software development.
    • by epine (68316)
      Coverity is doing what all the firewall vendors do, self-inventing threats and then focusing all the dialog on count statistics. It's almost impossible to find coverage on Coverity in terms of what classes of bugs they detect, and the relative importance of the bugs they find. How many are of the "oh my god" variety? I would hazard a guess somewhere between 1 and 5 percent. This is not a number Coverity wishes to see tracked in public forums, as their effort to inflate total bug counts will inevitably d
    • by nous (62496)

      A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

      i have

  • by solinym (1215798) on Friday January 11, 2008 @09:19PM (#22008906) Homepage
    I've collected some arguments about the security of open-source vs. closed source in my online book called "security concepts":

    http://www.subspacefield.org/security/security_concepts.html#tth_sEc24.5 [subspacefield.org]

    If I've missed any - or if you have any other suggestions - please email me.

    I feel like a bit of a whore for posting links to my own ebook, but whores actually get paid. My book is free, so I guess that just makes me a slut. ;-)

    • by Sanat (702)
      Thanks for sharing the information on Security concepts. It looks nice so far (haven't read it all yet) and it says some things in succinct ways that I have always had a difficult time putting into words.

      This document is note worthy and is worth a look.

  • I'm a bit more interested in who were the least in fixing their bugs...

"A great many people think they are thinking when they are merely rearranging their prejudices." -- William James

Working...