Coverity: open source software ever more secure
Despite the waves made by the vulnerability in the Debian OpenSSL package reported in the second week of May, the quality of open source code and the security of open source software are constantly improving. This is the conclusion arrived at in Coverity’s 2008 Scan Report on Open Source Software (PDF file). The paper presents the results of recurring analyses of more than 55 million lines of source code carried out by the American company over a period of two years. The study looked at more than 250 popular open source applications, such as the Apache web server and the Linux kernel.
Coverity performed the analysis using its Coverity Prevent defect analysis tool, which sniffs out vulnerabilities in C, C++ and Java source code. The defect density is reported to have declined by 16 percent over the last two years. Coverity offers particular words of praise for the Samba open source CIFS implementation, the Amanda backup system, NTP, OpenVPN, the Postfix mail server and the Perl, PHP and Python languages. The projects tested are listed on Coverity’s Scan site, an initiative launched in 2006 as part of a vulnerability analysis contract with the US Department of Homeland Security. The projects registered at Scan are regularly monitored by Coverity.