Open source security bugs uncovered

Government project finds thousands of open source flaws.

A US Department of Homeland Security (DHS) bug-fixing scheme has uncovered an average of one security glitch per 1,000 lines of code in 180 widely used open source software projects.

The program, called the Open Source Hardening Project, is sponsored by the DHS and carried out by Coverity and Stanford University. Launched in March 2006, the US$300,000 project was initially launched to review the code of 180 open source software projects frequently used by developers of government websites and application developers.

All the software scrutinized was found to have significant numbers of security flaws, Coverity said on Wednesday. Since 2006 the project has helped fix 7,826 open source flaws in 250 projects, out of 50 million lines of code scanned, the company said.

Coverity also scans proprietary software, handling about 400 product lines for private customers, but said its private clients don't tend to disclose information about bugs found in their products.

Many of the open source projects scanned have been assiduous in repairing the bugs that have turned up, and on Wednesday Coverity advanced the first batch of 11 open source projects to its second stage of the bug-cleansing process, called Rung 2. Many more remain on Rung 1 or even Rung 0, meaning they haven't yet begun to fix the flaws identified.

The 11 projects are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL. Other popular software the project has scrutinized include Apache, the Linux kernel and Firefox.

Rung 2 is the highest security level yet reached under the DHS project, and was attained by eliminating several classes of security and quality defects, according to Coverity open source strategist David Maxwell.

For instance, 236 flaws were uncovered in 450,000 lines of Samba code, of which 228 have been corrected.

Having passed to the next level, Coverity will provide the projects with an updated version of its scanner product, which will allow developers to identify still more flaws.

The Rung 2 scanning service will be upgraded from version 2.4 to version 3.6 of Coverity's Prevent bug-scanning product, Coverity said. The latest version in commercial use is 3.8.

The bug checks are carried out via Coverity's Scan website.

More about: Apache, Linux, Stanford University, VIA

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/149/dropbox/

Dropbox

Dropbox is a sharing tool that allows you to synchronize your documents, as well share files with others. It automatically uploads the files to the ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia