Open Source Code Contains Security Holes
Popular open source projects such as Samba, the PHP, Perl, Tcl dynamic languages, and Amanda were all found to have dozens or hundreds of security exposures.
Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1,000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code's security.
Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects.
White PapersMore >>
A total of 7,826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that's being used in the review.
At the same time, projects like Samba have been adept at correcting the vulnerabilities, once they were identified. Samba was found to have a total of 236 defects, a far lower rate than average for 450,000 lines of code. Of the 236 defects, 228 have been corrected, said Maxwell in an interview.
Homeland Security granted a $300,000 contract to Coverity in March 2006 to review the code produced by 180 open source projects, many of which were frequently adopted by developers of government Web sites and application projects.
Linux came in with far fewer defects than average as did a number of other open source projects. The version 2.6 of the Linux kernel had a security bug rate of .127 per thousand lines of code. The kernel scan covered 3,639,322 lines of code. As exposures were identified by repeated scans, 452 defects have been fixed by kernel developers; 48 have been verified but not yet fixed; another 413 remain to be verified and fixed, according to code scanning results posted on the Coverity Web site.
FreeBSD, sometimes posed as an alternative to Linux, has been slower to respond to the Coverity scans. In 1,582,166 lines of code, it has fixed zero defects, verified six and has another 605 to go. [Coverity clarified that the FreeBSD listing on its site is out of date. FreeBSD conducts its own scans with Coverity's Prevent product and cleans up the bugs on its own server. No results of those scans were available at the time of the story.]
The Apache Web server includes 135,916 lines of code, which yielded a security defect rate of .14 bugs per thousand lines of code. Three have been fixed; seven have been verified but not fixed; 12 remain to be verified and fixed.
The PostgreSQL database system contains 909,148 lines of code, with a .041 defect rate. Fifty-three bugs have been fixed; zero have been verified but not fixed; 37 remain to be verified and fixed.
Some open source projects have been quicker to respond to the Coverity scan results than others, noted Maxwell. About 116 of 180 projects being reviewed are making use of the Prevent SQS scans and eliminating the bugs.
The somewhat moribund Firebird project, for example, is listed with 195 identified defects, of which it has verified zero and fixed zero. The active Firefox browser project, on the other hand, has fixed 370 bugs, verified 56 and faces another 246 to verify and fix. [The writer followed up this statement to acknowledge that Firebird has sprung back to life. See Oops, Look At That Phoenix Rising From The Ashes.]
The Free Software Foundation's glibc or Gnu C Library has fixed 83 bugs and left zero unfixed. The Gnu C Library is used by many open source programmers working with Linux. It is one of the few open source projects to clock in at a zero existing rate of defects for its 588,931 lines of code. Likewise, the Amanda project now registers zero defects in 99,073 lines of code as did courier-maildir in 82,229 lines.
Linux user interfaces also came in for a thorough review. The KDE interface contains 4,712,273 lines of code, has fixed 1,554 defects, has verified another 25 and has only 65 to go. Gnome contains 430,809 lines of code, has fixed 357 defects, verified 5 and has 214 to go.
The popular MySQL open source database was not included in the scans for reasons that were not immediately evident.
OpenVPN, a secure way to link to your central office, has verified the one defect found in its 69,223 lines of code, but hasn't fixed it yet.
OpenSSL, the open source form of Secure Sockets Layer, has fixed 24 bugs, verified one and has 24 remaining in its 221,194 lines of code.
To know the number of security exposures found within a popular piece of software is unusual, said Maxwell. Open source projects are different from commercial products in that commercial companies rarely acknowledge security defects in their code or whether they have been dealt with. "Our commercial customers wouldn't like it too much if we aired the number of defects found in their code," said Maxwell, when asked about the results from scans on 400 product lines of the firm's private customers.