Coverity Helps Secure 11 Open Source Projects

Software quality and security specialist Coverity yesterday released the names of 11 open source projects where the company's analysis tools identified and fixed potential code flaws. The work was the result of a collaboration also involving Stanford University and the Department of Homeland Security (DHS). Coverity has now certified those projects as secure.

The 11 companies involved in the project are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

The collaborative venture underscores the importance of maintaining security levels in open source software, says Coverity's open source strategist David Maxwell. "The key thing is that every open source project that chooses to be part of our scan should be applauded," he says.

Because security is an ongoing process that changes as open source projects are adapted and applied to new environments, continuing security analysis is a necessity. "The issue never really ends," he says. "We need to be able to explain to developers, here's the work you need to do and this is the advantage in doing it."

Based on the results, Coverity plans to advance the projects into the next stage of its bug-catching software, Rung 2, which Coverity says has the capability to detect more difficult to locate defects in the source code.

Launched in March 2006, The Open Source Hardening Project, a $300,000 collaborative effort, led Coverity to uncover "significant" security flaws in open source projects -- more than 7,800 identified bugs since the project's start. The company has previously worked to identify security flaws in open source-based Web browser Mozilla.

The basic infrastructure of the Internet is based on open source software, he points out, and is potentially vulnerable to attack. "While you can mitigate that with active defenses like firewalls and spam filters, our approach is a proactive one," he says. "If you fix the bugs in the code, the program can't be attacked in the first place."