Security Watch | Matt Hines » Coverity project outing open source flaws

January 09, 2008 | Comments: (0)

Coverity project outing open source flaws

TAGS: Security

Static source code analysis specialists Coverity reported this week that its ongoing work to find flaws in open source projects, being carried out under a contract from the U.S. Department of Homeland Security, is having a significant impact.

According to company officials, Coverity has helped fix more than 7,800 software defects since launching its effort in March of 2006.

Under the project, the company has unearthed issues in 11 major open source projects specifically, those being: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

The project has also addressed security vulnerabilities in popular mainstream open source applications such as the Firefox Web browser produced by Mozilla, the Linux OS and Apache server software. Other high-profile projects scanned by the company include

As part of the effort the company has used its "Scan" site as a clearinghouse to share results of its work and for people to submit additional projects that they would like for the company to look into.

DHS got involved in the process and awarded the contract under the idea that the work to secure major open source platforms would improve the overall security of businesses and organizations using the involved programs -- including the U.S. government. The initiative was funded under the fed's broader Open Source Code Hardening Project.

Based on its existing results, Coverity announced this week that it would advance the 11 major projects to "rung 2" of its open source "security ladder," where they will be put under further scrutiny. The process will specifically involve use of Coverity's "application of Boolean satisfiability" in static analysis. (FTR satisfiability is not a real word, yet.)

Static analysis is a set of processes for finding source code flaws without executing the program, providing test datasets or test cases (as defined by Coverity).

The company promises that the new capabilities "creates a bit-accurate representation of a software system, where every relevant software operation is translated into Boolean values (true and false) and Boolean operators (such as and, not, or)."

David Maxwell, Coverity's open source strategist, who is responsible for Scan and other open source efforts at the company, said that his team has put its tools to work on a total of 116 open source projects thus far.

The company is currently finding new defects on a near-hourly basis, he said.

Maxwell said that one of the obstacles that the effort needs to overcome is the reality that its work continues to move forward with plans for continued expansion.

"Some people don't seem to understand that this is still an ongoing effort, that we are scanning projects on nightly basis," he said. "We're looking at anything new in the code [of the projects it is working on] and examining new features and functions to try and catch defects before they get released."

Maxwell said that Coverity plans to stay focused on testing the most widely-used open source projects worldwide, and that its short term plans involve upgrading the project to use the firm's latest Prevent SQS 3.6 release of its scanning software.

One of the greatest benefits of that move will be the ability to tap into the product's updated analysis engine, he said.

"Even though we're still looking for the same types of defects, we've identified hundreds of new defects that the old analysis engine wasn't able to find," said Maxwell. "In many cases these were problems that were always in the code that developers couldn't resolve. Our hope is that we can also waste less of developers' time spent chasing false positives, or helping them in situations where they don't realize that a certain code path is possible, where they might fail to identify problems."

Overall, Maxwell believes that the security of most open source projects is improving, and he contends that centralized projects such as Coverity's will be key to continued gains.

"These projects have large code bases, spread across developers at different companies, and most often there is no lead architect to drive this security work," he said. "That's why it's really useful to have one way of examining code; not every programmer is well-versed in secure coding, so, it's good to have tool to look at all different rules about writing good code, and a lot more issues should be eliminated."

Posted by Matt Hines on January 9, 2008 10:41 AM

RATE THIS ARTICLE: