Coverity's Prevent To Bring Self-Build Capability To Open Source project scans
"Right now, we're the bottleneck," admits Coverity open source strategist David Maxwell. "Unfortunately there's only so much time in the day to include all the projects." As open source development continues apace, he says getting to a point where project developers can do their own builds frees up time and resources to include new scanning features and additional developer projects.
"By having the developers maintain the build systems by themselves, we'll be able to put the maintenance of that portion of the system in the hands of the people most motivated and knowledgeable to keep it running smoothly," he says.
Maxwell says because all of the projects in the scan are doing more to improve their quality than those who aren't, it makes sense to include as many projects as they can. "The key thing is that every open source project that chooses to be part of our scan should be applauded," he says.
Because security is an ongoing process that changes as open source projects are adapted and applied to new environments, continuing security analysis is a necessity. "The issue never really ends," he says. "We need to be able to explain to developers, here's the work you need to do and this is the advantage in doing it."
As some open source projects (which come from individual developers or non-profits organizations) have build systems that are harder to maintain, Coverity works on a first come, first serve basis. "Many project have build systems that are hard to maintain, and you have to be able to build [the scan software] to analyze it. Those get pushed back down the list a little bit," he explains. "We see if it's easy for us to build the software for the analysis tool."
By enabling developers to build the analysis tools to suit their own projects' dependencies and architectures, Coverity can then take those scan results and analyze them. "The developers who work on the projects actually fix the defects," Maxwell says. "We just use computers to do what they do best and look at the code and identify the bugs."
As open source project development spreads, the availability of developers to fix the identified flaws also increases. "That scales well," Maxwell says. The basic infrastructure of the Internet is based on open source software, he points out, and is potentially vulnerable to attack. "While you can mitigate that with active defenses like firewalls and spam filters, our approach is a proactive one," he says. "If you fix the bugs in the code, the program can't be attacked in the first place."
Maxwell says Prevent's capabilities can more effectively strengthen the security of technology infrastructures, like the Internet, that are based largely on open source software. As open source adaptation rises and as the Internet becomes more and more intrinsic to our professional and personal lives, maintaining and updating security is likely to remain an important issue. Many people use open source software on a daily basis, without realizing it," he says. "The fewer quality and security issues those codebases have, the more reliable and secure the network is."