On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet
32 TalkBacks

By Joris Evers
Posted on ZDNet News: Mar 6, 2006 10:20:00 PM

The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible.

The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday.

The U.S. Department of Homeland Security awarded $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis. The funding, announced in January, is for a three-year "Open Source Hardening Project."

LAMP includes the Linux operating system, Apache Web server, MySQL database and a scripting language--PHP, Perl or Python. It has been pushing its way into mainstream corporate computing, a rival to Java and Microsoft's .Net.

In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, "showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.

There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said.

Of the other open-source projects scanned, Coverity found that the Amanda back-up tool had the highest number of bugs per 1,000 lines of code, with a bug density of 1.237. The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

In absolute numbers, most defects were found in X, the low-level graphical interface software for Linux and Unix. Coverity found 1,681 defects in X, it said. With only six defects, XMMS also scored best in absolute numbers.

Coverity's analysis looked for 40 of the most critical security vulnerabilities and coding mistakes in software code. The company did not give details on the scope of the flaws it found. The analysis can't be used to measure the security of open source code next to that of proprietary code because that code is not available for scanning.

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

A PDF of the Coverity analysis is available for download (registration required).

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 32 Talkback(s)
Amanda Now Has Zero Code Defects!
Less than a week after the release of
the Coverity results, the Amanda development community href="http://scan.coverity.com/">fixed all outstanding software bugs.
This is quite a testa... (Read the rest)
Posted by: Manny10 Posted on: 03/29/06 You are currently: a Guest | | Terms of Use
Guess Uncle Bitty's gotta go back to the drawing table  5th Limb in the Kisser | 03/06/06
Less than 1 bug per 1,000 lines...  Tony Agudo | 03/06/06
Unfortunately that will never happen  Linux User 147560 | 03/06/06
closed source  xuniL_z | 03/06/06
Confused?  Richard Flude | 03/06/06
article to get excited about?  xuniL_z | 03/07/06
And yet...  zkiwi | 03/06/06
oh come on....  xuniL_z | 03/07/06
wtf?  linuxoverwindows | 03/07/06
htf  xuniL_z | 03/07/06
One surprise  richdave | 03/06/06
BSD smokes it in performance (real-world), though!  Hugh Jass | 03/06/06
Give me a break!  xuniL_z | 03/06/06
Ok then...  zkiwi | 03/06/06
60% five years ago  thunderdome1 | 03/07/06
I guess therefore that...  zkiwi | 03/07/06
true  xuniL_z | 03/07/06
Break given  Richard Flude | 03/06/06
LAMP lights the way in open-source security  Loverock Davidson | 03/06/06
Erm...  zkiwi | 03/06/06
The closest comparison that can be made is...  Hugh Jass | 03/06/06
Does this mean...  zkiwi | 03/06/06
The comparison is against 'typical' commercial code  Hugh Jass | 03/07/06
Still...  zkiwi | 03/07/06
Answers  Loverock Davidson | 03/07/06
At least they mention it  thunderdome1 | 03/07/06
So, you're saying that...  zkiwi | 03/07/06
Isn't life funny some times?  michael_t | 03/06/06
I only find it amusing  Monkey_MCSE | 03/07/06
Justwonder why has it been so quiet in this article's replies... all the  michael_t | 03/07/06
we all know  Monkey_MCSE | 03/08/06
Amanda Now Has Zero Code Defects!  Manny10 | 03/29/06

What do you think?

SmartPlanet

Click Here