Homeland Security-backed effort shows defects drop in open source software

By Jack Vaughan, Managing Editor 24 Jun 2008 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

The overall quality and security of open source software is improving, say researchers at the Scan Web site. The group cites a 16% reduction in average static analysis defect density over the past two years of studying open source projects. Nearly 10 billion lines of code were analyzed, according to the group.

As a result of the effort, defects in such open source projects as NTP, OpenVPN, Perl, PHP, Python, Samba, and TCL have been fixed.

The site was set up by the U.S. Department of Homeland Security, Stanford University, and development software maker Coverity as part of a multi-year effort aimed at hardening U.S. Government software, which, like the rest of the world's, now includes a healthy helping of open source.

Coverity's base source code analysis technology was originally developed at the Stanford Computer Science Laboratory. The www.scan.coverity.com site allows qualified open source software projects to work with the commercial Coverity Prevent static analysis tools to identify software defects. The site characterizes open source projects based on the progress each project makes in resolving defects.

The Web site was launched in March 2006, according to David Maxwell, open source strategist for Coverity. He said open source projects that registered to be part of the study get a view on problems in their code, and many have made code changes based on the information.

While the group has disclosed some overall trends in defect types in the Scan.Coverity.com Open Source Report for 2008, some defect details are privy to registered project participants only.

"We don't want to be a source of vulnerability," said Maxwell. Some projects that have not actively used the results of the study have shown subsequent increases in defects, he said.

This work arose as part of an initiative called the "Vulnerability Discovery and Remediation Open Source Hardening Project," undertaken by Homeland Security's Science and Technology Directorate to protect the U.S. telecommunications infrastructure. As a result, defects in such open source projects as NTP, OpenVPN, Perl, PHP, Python, Samba, and TCL have been fixed. Most prevalent among types of defects found in the open source projects were null pointers, resource leaks, and unintentional ignored exceptions.

Tags: Software testing and quality assurance (QA) fundamentals,  Software security testing tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software testing and quality assurance (QA) fundamentals How to deal with iteration issues in Agile Five steps to fostering better software tester and QA results Software Testing: New software testing technologies bring new challenges Testing strategies for complex environments Astronaut's STPCon advice: Teamwork delivers "The Right Stuff" How to make your software tamperproof Software consortium seeks standard quality metrics Demo: Using WebGoat, a free software testing tool Seven steps for a quality change and configuration management program Winning responses to "Why is QA always the bottleneck?" Software security testing tools Beating software's cross-site scripting, authentication problems Free tools for Agile testers Put a stop to software espionage by watermarking source code How to make your software tamperproof How can I tell if my software security has been breached? Lesser-known free software testing tools testers should try Demo: Using WebGoat, a free software testing tool Rich Internet applications security testing checklist Finding cross-site scripting (XSS) application flaws checklist Webgoat Tutorial

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary build  (SearchSoftwareQuality.com) code review  (SearchSoftwareQuality.com) conformance testing  (SearchSoftwareQuality.com) error handling  (SearchSoftwareQuality.com) garbage in, garbage out  (SearchSoftwareQuality.com) load testing  (SearchSoftwareQuality.com) NUnit  (SearchSoftwareQuality.com) quality assurance  (SearchSoftwareQuality.com) stress testing  (SearchSoftwareQuality.com) white box  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary