By Wilson P. Dizard III
A two-year study of more than 55 million lines of code showed that
open-source systems include a variety of errors that closely track those
found in software written for proprietary systems.
The incidence of those errors in open-source code is declining,
according to a study that the Homeland Security Department funded. The
department hired Coverity to analyze more than 55 million lines of code
in two years as part of the government.s Open Source Code Hardening
Coverity used its Scan service to help open-source developers improve
their products' security by pinpointing and categorizing code flaws.
Scan uses the company's widely deployed Coverity Prevent static
source-code analysis system.
The two-year project covered more than 250 popular open-source projects.
Open-source software products are improving in quality and security,
according to the study. Using the Scan service, researchers detected a
16 percent reduction in source code errors, based on a measure known as
static analysis defect density, during the past two years. Project
researchers cited a report from Gartner that states that by 2012, as
many as four-fifths of all commercial software will include open-source
The Scan site sorts open-source projects into rungs based on their
success in eliminating defects, Coverity said. "Projects at higher rungs
receive access to additional analysis capabilities and configuration
options," it said. "Projects are promoted as they resolve the majority
of defects identified at their current rung."
"The continued improvement of projects that already possess strong code
quality and security underscores the commitment of open-source
developers to create software of the highest integrity," said David
Maxwell, open-source strategist at Coverity.
The company said its initial two-year DHS contract is ending, and
Coverity will continue to operate the Scan site because of the favorable
response the project has received from software developers and others in
the open-source community.
The full Open Source Report 2008 is available here .
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com