Slashdot Mirror
LAMP Lights the OSS Security Way
Kevin Young wrote to mention a ZDNet article which goes into some detail on new results from a Department of Homeland security initiative. It's called the 'Open Source Hardening Project', and (funded to the tune of $1.24 Million) the goals of the initiative are to use a commercial tool for source code analysis to buck up the security base of many OSS projects. LAMP (the conglomeration of Linux, Apache, MySQL, and PHP/Perl/Python) was a 'winner' in the eyes of the project. From the article: "In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, 'showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.'"
Maybe I've been reading too much politics news lately, but I'm just waiting for Microsoft to come out with a statement that people capable of evaluating Perl, PHP, and Python are biased in favor LAMP solutions.
I need to do something about my cynicism.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
I'm so sick of everyone making their software depend on MySQL. If you're software is any good it should be able to run on more then one DB, at least Postgres.
To me, MySQL is like the MS Access of the Open Source world.
autopr0n is like, down and stuff.
Well, once you read this snippet from the article, they'll have enough ammo:
"There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."
I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.
Also from the article: The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.
Being someone who has used Amanda for many years and also XMMS, I find it hard to believe. Amanda has few problems (unless its the tape drive itself) and XMMS crashes sometimes when you just push a button in the "wrong way".
I think there can be a big difference between actual number of bugs and the perceived number of bugs. This almost makes counts like this useless for actually comparing software.
I work at a company that uses Postgres with one of our products. When there are a lot of INSERTs into the Postgres database, it needs to be vaccuumed or it slows to a crawl.
I have to say, I'm suprised and impressed... a $1.2M grant to harden open source software? Thanks all seeing orwellian eyeball. I don't recall slashdot posting anything about the original grant but here's a link from the posted article to another about the funding.
The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.
We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
If an automated system can detect bugs in code, why can't it fix them automatically too?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Researchers at clandestine research labs in bases hidden deep in the Russian Alps have attempted to analyze portions of the leaked Internet Information Server (IIS) and Windows Vista code for similar flaws.
The findings were remarkable. They found 4,669 flaws, but since they didn't have the source code it resulted in a divide-by-zero error when they calculated the statistics on their Excel spreadsheet. The error triggered an unheard-of lockup on their Windows XP desktop.
On a positive note, recovering from the error alerted them to the presence of 43 strains of the MyDoom virus, 257 instances of Alexis spyware, and a bootleg copy of "Making of the Britney Spears Sonogram".
sigs, as if you care.
The LAMP stack when broken down consists of:
Linux & Apache - rock solid stable releases.
MySql - Okay, getting better with each release.
P - This is the kicker. Perl, Python, PHP, and more so lately even that R one Ruby & Rails.
We are living in interesting times when we have so much choice... much like the Chinese curse. I do not see as how you can evaluate all of these platforms together in a general fashion. Where is the skew or bias in this study?
Someone on IRC recently was critical of a small website I put together in 2000. It was written in plain html, using frames *gasp*. Many people today do not realize how far web development has come since then.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Interested minds couldn't care less.
James P. Barrett
Security is not a feature, security is design. This ultimely means that security should provide good default values, knowledge about how to prevent buffer underruns/overruns and most importantly knowledge how to use a system. This means that security only will need tools to help a system architect and developer to confront him with his limits of his human brain and have a well documented yet very simple concise system and low speed development cycles.
Open source is great because of the many eyes, knowledge sharing and having nothing to do with corporate tradeoffs (the users have the largest voice. But it stinks in the fact that any noob can make programs which are badly designed and are a serious risk to security, however someone may learn faster form the mindsharing in the open source world. To have a well concise system so much more is needed than just some bugfixes. OSS is just a proof that closed source coorporate software is not good with security, but it isn't proof of sound security.
Most interesting is OpenBSD with it's oustanding default values, it's very own high profile malloc which prevents coders for lot of buffer underrunes/overruns, outperforming other malloc implementations. It has a very high quality of manpages and if you want to do something then you have to RTFM. That's what security should be, other than some less known bugs. I would even suggest that it would be better in the name of security that people would use program derivation (which is a very concise way to do formal verification). PIE and all other solutions maybe look practical, but they don't solve the lacking attention for "secure by design".
Very Bad, and I have seen a US Defense - contracted software company (they even do helicopter systems) on their website extensively touting their 'lower defects per line of code (DLC)' methodology. Marketing.
Spot on, as you can see on scan.coverity.com:
- PHP features 205 defects for 431,327locs, or 0.475 defects/kloc
- Perl has 91 defects for 431,327locs, or 0.19 defects/kloc
- Python is very slightly lower than perl (but with a noticeably smaller codebase) at 49 defects for 259,908locs or 0.189 defects/kloc
- Apache-httpd features 32 defects in 127,817 locs, or 0.25 defect/klock
MySQL isn't featured (Ruby is also a noticeable absent), but PostgreSQL stands at 296 defects for 815,748 locs, or 0.363 defects/kloc, and the lightweight SQLite has 16 defects for 60,722 locs or 0.263 defect/klock."The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler