Government Technology

Report Says Open Source Code Grows More Secure



October 2, 2009 By

Many developers who write software in popular open source languages like Perl and Ruby are writing programs with more high-quality code these days, according to a recent survey conducted by Coverity Inc., a company that creates tools for software development and integrity - good news for security-minded consumers, to say the least.

"They've got just millions of users out there who are depending on the code. These developers know that and they take it fairly seriously, so they do a number of things to make their development practices as good as possible," said company Open Source Strategist and Scan Program Director David Maxwell.

The company released the 2009 Coverity Scan Open Source Report in September, the second of its kind and the result of an analysis of a three-year data pool of developer-submitted code that's been examined for software defects by the Coverity Scan project. Since 2006, the company's Scan site has given more than 60 million lines of code the once-over from more than 280 projects like Firefox, Linux and PHP.

According to Coverity Scan, there's been a 16 percent reduction in defect density, or the ratio of the number of defects identified in every 1,000 lines of code, during the past three years of analysis.

Maxwell finds this gradual improvement in code quality encouraging.

"I think that years ago, people wrote open source for their own purposes to solve their own problems and they didn't necessarily expect that some of the code was going to become as widely used as it is today," he said. Nowadays, people behind projects get the point that writing secure programs is important as well, not just programs that work.

"There are more and more projects today that are seeing the implications of what a bug in their software could mean," Maxwell said.

Developers who submit their programs to Coverity Scan can use the analysis to locate bugs and fix them according to the findings. Coverity ranks certain programs in a ladder system depending on how secure they are - Rung 3 the most secure and Rung 1 the least. When Coverity released its first report in 2008, 11 projects had moved to Rung 2 from Rung 1. That number grew to 36 in the 2009 edition.

"Since 2006, because of this effort, more than 11,200 defects have been eliminated before they made it to the end-users, so if you multiply that times the millions of users who interact with the software on a daily basis, we're quite satisfied that we're making a good impact," Maxwell said.

The 2009 report also claims that fewer code bugs are found further down in code functions. In other words, if a developer writes a program "action" that consists of several lines of code, the farther down you get in the lines, the fewer errors you'll see than near or at the top.

The Scan project was created after the Coverity Scan Initiative was launched in 2006 with funding from the U.S. Department of Homeland Security.

 


| More

Comments

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
Maintain Your IT Budget with Consistent Compliance Practices
Between the demands of meeting federal IT compliance mandates, increasing cybersecurity threats, and ever-shrinking budgets, it’s not uncommon for routine maintenance tasks to slip among state and local government IT departments. If it’s been months, or even only days, since you have maintained your systems, your agency may not be prepared for a compliance audit—and that could have severe financial consequences. Regardless of your mission, consistent systems keep your data secure, your age
Best Practice Guide for Cloud and As-A-Service Procurements
While technology service options for government continue to evolve, procurement processes and policies have remained firmly rooted in practices that are no longer effective. This guide, built upon the collaborative work of state and local government and industry executives, outlines and explains the changes needed for more flexible and agile procurement processes.
View All

Featured Papers