Open Source Code Contains Security Holes - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
11:45 PM
Connect Directly

Open Source Code Contains Security Holes

Popular open source projects such as Samba, the PHP, Perl, Tcl dynamic languages, and Amanda were all found to have dozens or hundreds of security exposures.

Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1,000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code's security.

Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects.

A total of 7,826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that's being used in the review.

At the same time, projects like Samba have been adept at correcting the vulnerabilities, once they were identified. Samba was found to have a total of 236 defects, a far lower rate than average for 450,000 lines of code. Of the 236 defects, 228 have been corrected, said Maxwell in an interview.

Homeland Security granted a $300,000 contract to Coverity in March 2006 to review the code produced by 180 open source projects, many of which were frequently adopted by developers of government Web sites and application projects.

Linux came in with far fewer defects than average as did a number of other open source projects. The version 2.6 of the Linux kernel had a security bug rate of .127 per thousand lines of code. The kernel scan covered 3,639,322 lines of code. As exposures were identified by repeated scans, 452 defects have been fixed by kernel developers; 48 have been verified but not yet fixed; another 413 remain to be verified and fixed, according to code scanning results posted on the Coverity Web site.

FreeBSD, sometimes posed as an alternative to Linux, has been slower to respond to the Coverity scans. In 1,582,166 lines of code, it has fixed zero defects, verified six and has another 605 to go. [Coverity clarified that the FreeBSD listing on its site is out of date. FreeBSD conducts its own scans with Coverity's Prevent product and cleans up the bugs on its own server. No results of those scans were available at the time of the story.]

The Apache Web server includes 135,916 lines of code, which yielded a security defect rate of .14 bugs per thousand lines of code. Three have been fixed; seven have been verified but not fixed; 12 remain to be verified and fixed.

The PostgreSQL database system contains 909,148 lines of code, with a .041 defect rate. Fifty-three bugs have been fixed; zero have been verified but not fixed; 37 remain to be verified and fixed.

Some open source projects have been quicker to respond to the Coverity scan results than others, noted Maxwell. About 116 of 180 projects being reviewed are making use of the Prevent SQS scans and eliminating the bugs.

The somewhat moribund Firebird project, for example, is listed with 195 identified defects, of which it has verified zero and fixed zero. The active Firefox browser project, on the other hand, has fixed 370 bugs, verified 56 and faces another 246 to verify and fix. [The writer followed up this statement to acknowledge that Firebird has sprung back to life. See Oops, Look At That Phoenix Rising From The Ashes.]

The Free Software Foundation's glibc or Gnu C Library has fixed 83 bugs and left zero unfixed. The Gnu C Library is used by many open source programmers working with Linux. It is one of the few open source projects to clock in at a zero existing rate of defects for its 588,931 lines of code. Likewise, the Amanda project now registers zero defects in 99,073 lines of code as did courier-maildir in 82,229 lines.

Linux user interfaces also came in for a thorough review. The KDE interface contains 4,712,273 lines of code, has fixed 1,554 defects, has verified another 25 and has only 65 to go. Gnome contains 430,809 lines of code, has fixed 357 defects, verified 5 and has 214 to go.

The popular MySQL open source database was not included in the scans for reasons that were not immediately evident.

OpenVPN, a secure way to link to your central office, has verified the one defect found in its 69,223 lines of code, but hasn't fixed it yet.

OpenSSL, the open source form of Secure Sockets Layer, has fixed 24 bugs, verified one and has 24 remaining in its 221,194 lines of code.

To know the number of security exposures found within a popular piece of software is unusual, said Maxwell. Open source projects are different from commercial products in that commercial companies rarely acknowledge security defects in their code or whether they have been dealt with. "Our commercial customers wouldn't like it too much if we aired the number of defects found in their code," said Maxwell, when asked about the results from scans on 400 product lines of the firm's private customers.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll