Open source developers apparently don’t adhere to best practices such as using static analysis and conducting regular security audits, found Coverity’s Spotlight report, released Wednesday. The Coverity Scan service, which is available at no charge to open source projects, helped devs find and fix about 50,000 quality and security defects in code last year. That number can be attributed in part to continuous improvement, which lets users find previously undetected defects.
Since this is 50% ad for Coverity let's talk about that for a moment. I wonder if it could have found heartbleed, shellshock, or poodle? I'm guessing no for the latter 2 since those were mainly algorithmic problems. And if it found heartbleed I'd again guess that it may find a fair number of false positives since the heartbleed code was correct on the face of it, it had a bounds check but chose the wrong variable for the check.
I'm not for a moment saying there's not some good value in what Coverity and similar tools do. Just saying that it's not a silver bullet and getting an OK from a code tester is no indication that the protocol implemented in the code is a secure one.
Loading ...
Report: Open Source Needs to Get With the Security Program
Posted by: Richard Adhikari October 15, 2014 10:37 AMOpen source developers apparently don’t adhere to best practices such as using static analysis and conducting regular security audits, found Coverity’s Spotlight report, released Wednesday. The Coverity Scan service, which is available at no charge to open source projects, helped devs find and fix about 50,000 quality and security defects in code last year. That number can be attributed in part to continuous improvement, which lets users find previously undetected defects.
I'm not for a moment saying there's not some good value in what Coverity and similar tools do. Just saying that it's not a silver bullet and getting an OK from a code tester is no indication that the protocol implemented in the code is a secure one.