Slashdot Mirror

← Back to Stories (view on slashdot.org)

LAMP Lights the OSS Security Way

Posted by ryuzaki0 on from the bashing-in-the-heads-of-bugs dept.

Kevin Young wrote to mention a ZDNet article which goes into some detail on new results from a Department of Homeland security initiative. It's called the 'Open Source Hardening Project', and (funded to the tune of $1.24 Million) the goals of the initiative are to use a commercial tool for source code analysis to buck up the security base of many OSS projects. LAMP (the conglomeration of Linux, Apache, MySQL, and PHP/Perl/Python) was a 'winner' in the eyes of the project. From the article: "In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, 'showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.'"

18 of 178 comments (clear)

  1. Fucking LAMP. by autopr0n · · Score: 5, Insightful

    I'm so sick of everyone making their software depend on MySQL. If you're software is any good it should be able to run on more then one DB, at least Postgres.

    To me, MySQL is like the MS Access of the Open Source world.

    --
    autopr0n is like, down and stuff.
    1. Re:Fucking LAMP. by Bad+Boy+Marty · · Score: 1, Insightful

      Used it on a site that took a million hits a day. Using the same table definitions, MySQL ran about 5 times faster.

      --
      RHCE; are you certified? Karma: ambiguous.
    2. Re:Fucking LAMP. by aurb · · Score: 2, Insightful

      Indeed. I wonder why people are not using SQLite where they need a fast and not _very, very_ large database (that's the case with most websites). And if there's a need for a big and reliable db -- PostgreSQL is the answer.

    3. Re:Fucking LAMP. by Lumpy · · Score: 4, Insightful

      I'm sick of DB makers ignoring standards and making their SQL not 100% SQL99 compliant.

      it's is pure bullcrap that MSSQL,Oracle,MySQL and PostgreSQL can not take the exact same complex query without having to rewrite it.

      That is one of the big problems. the fact that some of my queries will not go cross platform because of stupidities thrown in by Microsoft, MYSQL, and Oracle that cause pain and suffering like this.

      --
      Do not look at laser with remaining good eye.
    4. Re:Fucking LAMP. by Khelder · · Score: 3, Insightful

      Well, the GP didn't say what kind of undergraduate degree program he was in, so maybe it was on something very applied like "Database Administration" and you're right.

      But if he's getting a Computer Science degree (which seems to be the plurality of students on /.), then his courses should *not* be emphasizing how the syntax for database A is different from the syntax for database B. The courses should be about higher level concepts (maybe replication, or normalization).

    5. Re:Fucking LAMP. by NitsujTPU · · Score: 3, Insightful

      Exactly. I didn't sign up to go to a trade school. I signed up to learn CS.

  2. don't waste that $$$! by urdine · · Score: 2, Insightful

    Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!

    1. Re:don't waste that $$$! by Anonymous Coward · · Score: 1, Insightful

      Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!
      They do - it says so in the article.

  3. The LAMP devs _have_ to write secure code. by Anonymous Coward · · Score: 1, Insightful

    After all, that stuff's running most of the Internet.

  4. Re:Maybe I've been reading too much politics latel by gbjbaanb · · Score: 4, Insightful

    Well, once you read this snippet from the article, they'll have enough ammo:

    "There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."

    I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

  5. YEAH RIGHT! by suso · · Score: 4, Insightful

    Also from the article: The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

    Being someone who has used Amanda for many years and also XMMS, I find it hard to believe. Amanda has few problems (unless its the tape drive itself) and XMMS crashes sometimes when you just push a button in the "wrong way".

    I think there can be a big difference between actual number of bugs and the perceived number of bugs. This almost makes counts like this useless for actually comparing software.

    1. Re:YEAH RIGHT! by maelstrom · · Score: 2, Insightful

      I think it should be obvious this bug scanner only picks up on certain classes of "bugs". If they had an automated way of detecting all types of bugs, they would be rich beyond their wildest dreams. I imagine it picks up certain things like out of bound accesses, mallocs without frees, etc. It would make sense that Amanda would have more types of these operations going on than something like xmms.

      --
      The more you know, the less you understand.
  6. Re:Huh? by muhgcee · · Score: 3, Insightful

    I work at a company that uses Postgres with one of our products. When there are a lot of INSERTs into the Postgres database, it needs to be vaccuumed or it slows to a crawl.

  7. Umm... Way to go Department of Homeland Security? by Wannabe+Code+Monkey · · Score: 3, Insightful

    I have to say, I'm suprised and impressed... a $1.2M grant to harden open source software? Thanks all seeing orwellian eyeball. I don't recall slashdot posting anything about the original grant but here's a link from the posted article to another about the funding.

    The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

    --
    We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
  8. 0.00 defects per infinity lines of code by mwvdlee · · Score: 3, Insightful

    If an automated system can detect bugs in code, why can't it fix them automatically too?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  9. MySQL by suso · · Score: 2, Insightful

    I don't trust Oracle

    Honestly, I don't trust MySQL either. Every since they started going more commercial, there have been indications that eventually MySQL will be more closed up than open. But that's just speculation. So I've been slowly switching my stuff to use Postgresql. The only problem I have with postgresql is that it doesn't handle user administration as well. Other than that, its awesome.

  10. Security is not a feature, security is design by Device666 · · Score: 4, Insightful

    Security is not a feature, security is design. This ultimely means that security should provide good default values, knowledge about how to prevent buffer underruns/overruns and most importantly knowledge how to use a system. This means that security only will need tools to help a system architect and developer to confront him with his limits of his human brain and have a well documented yet very simple concise system and low speed development cycles.

    Open source is great because of the many eyes, knowledge sharing and having nothing to do with corporate tradeoffs (the users have the largest voice. But it stinks in the fact that any noob can make programs which are badly designed and are a serious risk to security, however someone may learn faster form the mindsharing in the open source world. To have a well concise system so much more is needed than just some bugfixes. OSS is just a proof that closed source coorporate software is not good with security, but it isn't proof of sound security.

    Most interesting is OpenBSD with it's oustanding default values, it's very own high profile malloc which prevents coders for lot of buffer underrunes/overruns, outperforming other malloc implementations. It has a very high quality of manpages and if you want to do something then you have to RTFM. That's what security should be, other than some less known bugs. I would even suggest that it would be better in the name of security that people would use program derivation (which is a very concise way to do formal verification). PIE and all other solutions maybe look practical, but they don't solve the lacking attention for "secure by design".

  11. Re:Old news by Anonymous Coward · · Score: 1, Insightful

    I've always been curious how the oldest comment can be redundant...