Slashdot Mirror

← Back to Stories (view on slashdot.org)

Coverity Reports Open Source Security Making Great Strides

Posted by ScuttleMonkey on from the patting-yourself-on-the-back dept.

Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. "Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL."

8 of 48 comments (clear)

  1. Anyone else by Bloke+down+the+pub · · Score: 4, Funny

    Anyone else read that as "Coventry"? Bloody shit-hole, I went there once and nobody spoke to me.

    --
    It's true I tell you, feller at work's next door neighbour read it in the paper.
  2. Re:Overdose by PetiePooo · · Score: 4, Funny

    What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...

    Ah, nevermind. Its a Yahoo! chat client. I should have searched Sourceforge instead...

  3. 173 Projects NOT being actively scanned by gQuigs · · Score: 3, Informative

    If you are involved in said projects, please contact coverity through the website and get involved. I don't see any reason why a project would not want to have this scan done.

    Rung 0: http://scan.coverity.com/rung0.html

  4. Re:Dupe? by ashridah · · Score: 4, Interesting

    Yes. It has a positive bias in the title (pro open source) instead of a negative one. We want slashdot to be fair and impartial right....?

    ash

  5. Experience with Nmap by katterjohn · · Score: 4, Informative

    I've been working with Nmap for nearly 2 years now; I went over a Coverity scan of the Nmap source code and fixed many possible bugs (mostly NULL dereferences). Coverity has a great interface and documented the bugs well.

  6. Update on the article is posted by ivoras · · Score: 4, Informative

    There's an update on the article here: http://www.informationweek.com/blog/main/archives/2008/01/oops_look_at_th.html See also http://lists.freebsd.org/pipermail/freebsd-hackers/2008-January/022854.html for discussion on FreeBSD.

    --
    -- Sig down
  7. Now if only Coverity would release some code.. by Deanalator · · Score: 3, Insightful

    A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

    If DHS spent its money on investing in high quality static analysis plugins for modern (free) development environments, then you would catch all of the old mistakes, and make sure that they did not happen in the future. I just get annoyed when I see how much money goes to these companies whose only concern is treating the symptoms, not the cause, of poor security standards in software development.

  8. open source vs. closed source security by solinym · · Score: 3, Informative
    I've collected some arguments about the security of open-source vs. closed source in my online book called "security concepts":

    http://www.subspacefield.org/security/security_concepts.html#tth_sEc24.5

    If I've missed any - or if you have any other suggestions - please email me.

    I feel like a bit of a whore for posting links to my own ebook, but whores actually get paid. My book is free, so I guess that just makes me a slut. ;-)