Homeland Security-backed effort shows defects drop in open source software

Jack Vaughan

The overall quality and security of open source software is improving, say researchers at the Scan Web site. The group cites a 16% reduction in average static analysis defect density over the past two years of studying open source projects. Nearly 10 billion lines of code were analyzed, according to the group.

    Requires Free Membership to View

 As a result of the effort, defects in such open source projects as NTP, OpenVPN, Perl, PHP, Python, Samba, and TCL have been fixed.

The site was set up by the U.S. Department of Homeland Security, Stanford University, and development software maker Coverity as part of a multi-year effort aimed at hardening U.S. Government software, which, like the rest of the world's, now includes a healthy helping of open source.

Coverity's base source code analysis technology was originally developed at the Stanford Computer Science Laboratory. The site allows qualified open source software projects to work with the commercial Coverity Prevent static analysis tools to identify software defects. The site characterizes open source projects based on the progress each project makes in resolving defects.

The Web site was launched in March 2006, according to David Maxwell, open source strategist for Coverity. He said open source projects that registered to be part of the study get a view on problems in their code, and many have made code changes based on the information.

While the group has disclosed some overall trends in defect types in the Open Source Report for 2008, some defect details are privy to registered project participants only.

"We don't want to be a source of vulnerability," said Maxwell. Some projects that have not actively used the results of the study have shown subsequent increases in defects, he said.

This work arose as part of an initiative called the "Vulnerability Discovery and Remediation Open Source Hardening Project," undertaken by Homeland Security's Science and Technology Directorate to protect the U.S. telecommunications infrastructure. As a result, defects in such open source projects as NTP, OpenVPN, Perl, PHP, Python, Samba, and TCL have been fixed. Most prevalent among types of defects found in the open source projects were null pointers, resource leaks, and unintentional ignored exceptions.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: