Government // Enterprise Architecture
News
9/23/2009
10:28 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Coverity Reports Reduction In Code Defects

The company started scanning open source code for reliability and integrity three years ago and has a Department of Homeland Security contract.

Coverity says the integrity and quality of the open source projects that its scans for defects, is improving. The company said it has measured a 16% reduction in static analysis defect density since it started scanning projects, including Linux, Samba, and Ruby, three years ago.

That reduction means 11,200 defects have been eliminated since Coverity undertook a $300,000 Department of Homeland Security contract to report on the reliability and integrity of open source software projects, often adopted for use in federal, state, and local government.

To find those defects, Coverity's automated inspector, Prevent, inspected 11 billion lines of code from 280 open source projects.

By defects, Coverity doesn't necessarily mean vulnerabilities and security exposures, although they can sometimes be found as well. Defects often amount to a null pointer reference in a C program, where a pointer refers to a memory address that is no longer valid. In some cases, the software runs fine despite the defect. Weeding out these flaws means they can't be activated by unforeseen or previously un-encountered conditions in the program.

As open source projects have eliminated the bugs found in Coverity's initial scans, the spotlight has been turned toward looking for more extreme grades of bugs, that were too minor to bother with in Coverity's first year of scanning. The third round of searching for obscure defects is underway.

For example, Samba along with a handful of other open source projects, has entered the third rung of certification, as Coverity calls it. Samba is the project that allows file and print translation between Windows and Linux and has been widely used in many enterprises adopting Linux.

The Ruby scripting language and framework, known as Ruby on Rails for its rapid development techniques, is also a third rung certification participant, as is OpenPAM, the open source method of aggregating multiple user authentication schemes.

"Known bugs can sometimes turn into security issues if they're not correctly understood or addressed," wrote Jeremy Allison. He is the co-creator of the Samba project with Andrew Tridgell, who commented on the need for defect prevention in open source code in a Samba FAQ July 21. "One hundred percent bug free reliable software is our goal, and one that Coverity scans play an important part in achieving," he wrote.


InformationWeek has published an in-depth report on application development. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.