[DLC] Fwd: [ISN] Open source security bugs uncovered

Gianfranco Berardi pigeon_gb at yahoo.com
Fri Jan 11 07:14:08 CST 2008 

You mean if we were smart, had some kind of audience we were
addressing, and something to gain out of telling this properly-told
story. B-)


--- Larry Garfield <larry at garfieldtech.com> wrote:

> Now if we were smart, we'd spin the story properly:
> 
> Security researchers have found 180 leading open source applications
> to be 
> only 0.1% insecure.  Meanwhile, 400 large proprietary companies
> declined to 
> comment on how buggy their software is.  
> 
> On Thursday 10 January 2008, Jamesha Y Fisher wrote:
> > Something Interesting to look at for the Security Linux People(or
> just any
> > people in general).
> >
> >
> > ---------- Forwarded message ----------
> > From: InfoSec News <alerts at infosecnews.org>
> > Date: Jan 10, 2008 12:16 AM
> > Subject: [ISN] Open source security bugs uncovered
> > To: isn at infosecnews.org
> >
> >
> > http://www.techworld.com/security/news/index.cfm?newsID=11086
> >
> > By Matthew Broersma
> > Techworld
> > 09 January 2008
> >
> > A US Department of Homeland Security (DHS) bug-fixing scheme has
> > uncovered an average of one security glitch per 1,000 lines of code
> in
> > 180 widely used open source software projects.
> >
> > The programme, called the Open Source Hardening Project, is
> sponsored by
> > the DHS and carried out by Coverity and Stanford University.
> Launched in
> > March 2006, the $300,000 project was initially launched to review
> the
> > code of 180 open source software projects frequently used by
> developers
> > of government websites and application developers.
> >
> > All the software scrutinised was found to have significant numbers
> of
> > security flaws, Coverity said on Wednesday. Since 2006 the project
> has
> > helped fix 7,826 open source flaws in 250 projects, out of 50
> million
> > lines of code scanned, the company said.
> >
> > Coverity also scans proprietary software, handling about 400
> product
> > lines for private customers, but said its private clients don't
> tend to
> > disclose information about bugs found in their products.
> >
> > Many of the open source projects scanned have been assiduous in
> > repairing the bugs that have turned up, and on Wednesday Coverity
> > advanced the first batch of 11 open source projects to its second
> stage
> > of the bug-cleansing process, called Rung 2. Many more remain on
> Rung 1
> > or even Rung 0, meaning they haven't yet begun to fix the flaws
> > identified.
> >
> > The 11 projects are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl,
> PHP,
> > Postfix, Python, Samba, and TCL. Other popular software the project
> has
> > scrutinised include Apache, the Linux kernel and Firefox.
> >
> > Rung 2 is the highest security level yet reached under the DHS
> project,
> > and was attained by eliminating several classes of security and
> quality
> > defects, according to Coverity open source strategist David
> Maxwell.
> >
> > For instance, 236 flaws were uncovered in 450,000 lines of Samba
> code,
> > of which 228 have been corrected.
> >
> > Having passed to the next level, Coverity will provide the projects
> with
> > an updated version of its scanner product, which will allow
> developers
> > to identify still more flaws.
> >
> > The Rung 2 scanning service will be upgraded from version 2.4 to
> version
> > 3.6 of Coverity's Prevent bug-scanning product, Coverity said. The
> > latest version in commercial use is 3.8.
> >
> > The bug checks are carried out via Coverity's Scan website.
> >
> >
> > __________________________________________________________________
> > Visit InfoSec News
> > http://www.infosecnews.org/
> 
> 
> -- 
> Larry Garfield			AIM: LOLG42
> larry at garfieldtech.com		ICQ: 6817012
> 
> "If nature has made any one thing less susceptible than all others of
> 
> exclusive property, it is the action of the thinking power called an
> idea, 
> which an individual may exclusively possess as long as he keeps it to
> 
> himself; but the moment it is divulged, it forces itself into the
> possession 
> of every one, and the receiver cannot dispossess himself of it."  --
> Thomas 
> Jefferson
> _______________________________________________
> DLC mailing list
> DLC at mailman.depaul.edu
> http://mailman.depaul.edu/mailman/listinfo/dlc
> http://linux.depaul.edu/
> 



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the DLC mailing list