×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

LAMP Lights the OSS Security Way

Zonk posted more than 8 years ago | from the bashing-in-the-heads-of-bugs dept.

178

Kevin Young wrote to mention a ZDNet article which goes into some detail on new results from a Department of Homeland security initiative. It's called the 'Open Source Hardening Project', and (funded to the tune of $1.24 Million) the goals of the initiative are to use a commercial tool for source code analysis to buck up the security base of many OSS projects. LAMP (the conglomeration of Linux, Apache, MySQL, and PHP/Perl/Python) was a 'winner' in the eyes of the project. From the article: "In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, 'showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

178 comments

Old news (2, Informative)

Fnord666 (889225) | more than 8 years ago | (#14866452)

This is old news [serverwatch.com]:

I BLAME BUSH (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14866519)

This is clearly Bush's fault. Had we not been spending so much money stealing babies from Iraq we would be able to fund this!

Re:Old news (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14867383)

I've always been curious how the oldest comment can be redundant...

Solaris (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14866459)

It won't be long before the Solaris whiners chime in with how much better LAMP would be with OpenSolaris and lamenting the attention Linux gets that is rightly deserved by Solaris...

Re:Solaris (2, Funny)

Anonymous Coward | more than 8 years ago | (#14866586)

And it won't be long before Linux-zealots will start preemptively bashing Solaris to distract form the screaming shortcomings of their toy-OS. In fact, it will start in t 0.

Dupe (1, Informative)

blirp (147278) | more than 8 years ago | (#14866468)

Re:Dupe (1)

garcia (6573) | more than 8 years ago | (#14866747)

Clearly you're wrong. One was posted by Zonk and the other by ScuttleMonkey. Look at the blurbs. Completely different content and title. It's not even a 1/4 dupe by Slashdot standards!

Maybe I've been reading too much politics lately.. (3, Interesting)

Valdrax (32670) | more than 8 years ago | (#14866490)

Maybe I've been reading too much politics news lately, but I'm just waiting for Microsoft to come out with a statement that people capable of evaluating Perl, PHP, and Python are biased in favor LAMP solutions.

I need to do something about my cynicism.

Re:Maybe I've been reading too much politics latel (4, Insightful)

gbjbaanb (229885) | more than 8 years ago | (#14866532)

Well, once you read this snippet from the article, they'll have enough ammo:

"There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."

I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

Re:Maybe I've been reading too much politics latel (1)

hcob$ (766699) | more than 8 years ago | (#14866909)

I need to do something about my cynicism.
Yes, you need to nurture it and get into politics!

Fucking LAMP. (5, Insightful)

autopr0n (534291) | more than 8 years ago | (#14866499)

I'm so sick of everyone making their software depend on MySQL. If you're software is any good it should be able to run on more then one DB, at least Postgres.

To me, MySQL is like the MS Access of the Open Source world.

Re:Fucking LAMP. (1)

IflyRC (956454) | more than 8 years ago | (#14866523)

Just wait until Oracle takes over MySQL - the options will be only to go from MySQL to Oracle because "something" will change to make migration easier.

I don't trust Oracle, I've seen them move into too many companies and push others out as well as backstab their own partners.

MySQL (2, Insightful)

suso (153703) | more than 8 years ago | (#14866666)

I don't trust Oracle

Honestly, I don't trust MySQL either. Every since they started going more commercial, there have been indications that eventually MySQL will be more closed up than open. But that's just speculation. So I've been slowly switching my stuff to use Postgresql. The only problem I have with postgresql is that it doesn't handle user administration as well. Other than that, its awesome.

Re:Fucking LAMP. (0, Troll)

Bad Boy Marty (15944) | more than 8 years ago | (#14866528)

Oh, come on! A database that needs to be vacuumed every hour is just not a useful database! When Postgres overcomes that need, it will be useful -- not until.

Huh? (1)

autopr0n (534291) | more than 8 years ago | (#14866558)

What are you talking about? We ship appliances with postgres and they don't need vaccuming.

Re:Huh? (3, Insightful)

muhgcee (188154) | more than 8 years ago | (#14866592)

I work at a company that uses Postgres with one of our products. When there are a lot of INSERTs into the Postgres database, it needs to be vaccuumed or it slows to a crawl.

Re:Huh? (1)

Dan Ost (415913) | more than 8 years ago | (#14866760)

Vaccuuming is now a background process that you can leave running all the time.

I think auto-vaccuume was added in version 8.

Re:Huh? (0)

Anonymous Coward | more than 8 years ago | (#14866777)

I've got it in our production 7.4 servers.

Re:Huh? (2, Informative)

dfetter (2035) | more than 8 years ago | (#14866796)

I hope that "INSERT" is a typo, because it's just plain wrong. The only thing that needs vacuuming is dead tuples, and the only operations that create dead tuples are UPDATEs and DELETEs. Furthermore, pg_autovacuum has been integrated into the back-end since 8.0.

Re:Huh? (0)

Anonymous Coward | more than 8 years ago | (#14866712)

Assuming that your appliance doesn't do much other than selects, then it probably doesn't require vaccuuming. If you do inserts and updates then yes you will have to vaccuum the database. Considering all the problems with MySQL I don't know why they get their panties in a bind about running a vaccum job every BILLION transactions. I use cron to back up the database anyway, so I don't see what the issue is about vaccuming out at the same time.

Re:Fucking LAMP. (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14866591)

Yeah, but stick with LAMP though, because LAPP makes me think LAPPdance... Alot of security holes to attack! ;)

Re:Fucking LAMP. (1, Funny)

Anonymous Coward | more than 8 years ago | (#14866679)

Yeah, but stick with LAMP though, because LAPP makes me think LAPPdance... Alot of security holes to attack! ;)

Aaaah, but lapdancing is the one place where an unexpected hole is a feature ;-)

Re:Fucking LAMP. (3, Interesting)

Trevin (570491) | more than 8 years ago | (#14866603)

I'd love it if database management systems were compatible enough to allow that. The trouble is, it seems only the most basic query syntax has been standardized. Several other aspects, such as table creation, column types, auto-increment variables, and stored procedures, have varying degrees of differences or support between the various databases such that in any sufficiently complex application you would need to write a separate copy of db interface code for every DBMS that you want to support.

Re:Fucking LAMP. (1)

Lord Jester (88423) | more than 8 years ago | (#14866686)

Actually there are some database abstraction routines out there that use one set of functions for multiple database types. PHP-Nuke for example.

Re:Fucking LAMP. (2, Interesting)

mrops (927562) | more than 8 years ago | (#14867005)

Hey that why I say LAMP will never take the place of say Java/spring/hibernate/tomcat/jboss.

Re:Fucking LAMP. (2, Insightful)

aurb (674003) | more than 8 years ago | (#14866722)

Indeed. I wonder why people are not using SQLite [sqlite.org] where they need a fast and not _very, very_ large database (that's the case with most websites). And if there's a need for a big and reliable db -- PostgreSQL is the answer.

Re:Fucking LAMP. (4, Insightful)

Lumpy (12016) | more than 8 years ago | (#14866761)

I'm sick of DB makers ignoring standards and making their SQL not 100% SQL99 compliant.

it's is pure bullcrap that MSSQL,Oracle,MySQL and PostgreSQL can not take the exact same complex query without having to rewrite it.

That is one of the big problems. the fact that some of my queries will not go cross platform because of stupidities thrown in by Microsoft, MYSQL, and Oracle that cause pain and suffering like this.

Re:Fucking LAMP. (1)

NitsujTPU (19263) | more than 8 years ago | (#14866893)

That's nothing.

As an undergraduate, I took a class taught on Oracle platform (it helps that the department got a hefty kickback from Oracle). I got sick for 2 weeks and studied out of a database text that was all about SQL '99. The prof smoked my grade for using SQL '99 syntax, despite, otherwise, getting the questions right.

Re:Fucking LAMP. (1)

abradsn (542213) | more than 8 years ago | (#14867351)

Databases are fairly proprietary, and a class on databases should be specific to a platform and if oracle is used then oracle is what matters. Besides oracle is number one in the database market right now, so that seems just fine to me either way. They are the standard.

Unless there is some more to the story (is there?) then the the professor did the right thing.

Re:Fucking LAMP. (1)

DogDude (805747) | more than 8 years ago | (#14867011)

That is one of the big problems. the fact that some of my queries will not go cross platform because of stupidities thrown in by Microsoft, MYSQL, and Oracle that cause pain and suffering like this.

I'm just curious... what's the situation where you need the same SQL to talk to multiple kinds of databases? Does your company just have one of everything, or do they gut their infrastructure on a regular basis for fun? When I make a committment to a database, I expect it to be at *least* a 5+ year committment. I don't see the reason for replacing the most important part of most IT infrastuctures unless there's an extemely serious reason to do so.

Re:Fucking LAMP. (0)

Anonymous Coward | more than 8 years ago | (#14867147)

I'm just curious... what's the situation where you need the same SQL to talk to multiple kinds of databases? Does your company just have one of everything, or do they gut their infrastructure on a regular basis for fun? When I make a committment to a database, I expect it to be at *least* a 5+ year committment. I don't see the reason for replacing the most important part of most IT infrastuctures unless there's an extemely serious reason to do so.

The point seems to have been lost on you. Ideally, you should be choosing the database you want to use. Right now, the vendor of the application software you want to use often makes the decisision for you. If, as you say, you make a 5+ year committment to a given database, then you are screwed if the software you want to run doesn't support that database. Your statements actually reinforce the notion that the same SQL should be compatible with multiple databases, as that would make it easier for application vendors to support a range of database offerings, allowing you to use the database you like.

Re:Fucking LAMP. (1)

tobiasly (524456) | more than 8 years ago | (#14867103)

That's why we have database abstraction layers. There will never be a unified SQL syntax until all databases have exactly the same features.

A solution to this would be a standardized way to add nonstandard features, similar to mimetypes which begin with "x-". But don't hold your breath on that one.

Solution for the time being... (1)

ceeam (39911) | more than 8 years ago | (#14867370)

Do not use complex queries then. If your DB is on the same host as your web/application server there should be no big performance penalty in doing series of "smaller" queries. As an added bonus - they well may be easier to debug. And do not name your tables "order" or your fields "desc" (though I really hate prefixes/suffixes).

Re:Fucking LAMP. (0, Troll)

DogDude (805747) | more than 8 years ago | (#14867225)

If you're software is any good it should be able to run on more then one DB, at least Postgres.

Actually, I'd say that if your software is any good, it won't be able to run on multiple database. Why? If you can run the same code on multiple databases, then you're not taking advantage of any of the database-specific performance features. Heck, how do you get stored procedures to run across multiple databases? If you're calling "SELECT * FROM TABLENAME" good software because it can run on any database, then you've got some learnin' to do.

Re:Fucking LAMP. (1)

autopr0n (534291) | more than 8 years ago | (#14867347)

Heck, how do you get stored procedures to run across multiple databases? Well, how do you get stored procedures to get to work on mysql at all? Actually, any database-specific queries related code should be sequestered in a small data access layer, along with all your DB code, which could be re-coded for different DBs without upsetting the rest of your system. If you're calling "SELECT * FROM TABLENAME" good software because it can run on any database, then you've got some learnin' to do. If you consider "Select * from tablename" software at all, you've got some learnin' to do. It's not software, it's a query. It's what you do with the data afterwards that makes up the 'software'. You strike me as the kind of person who thinks doing a 'select' and then formatting the output via PHP makes good software, in my mind, it's barely even software at all.

don't waste that $$$! (2, Insightful)

urdine (775754) | more than 8 years ago | (#14866501)

Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!

Re:don't waste that $$$! (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14866543)

Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!
They do - it says so in the article.

Re:don't waste that $$$! (3, Funny)

Bazzalisk (869812) | more than 8 years ago | (#14866797)

Ah, but how many lines of code will it take to correct the bugs? and will those bugfixes themselves contain bugs?

Interested minds couldn't care less.

Re:don't waste that $$$! (2, Interesting)

ChrisA90278 (905188) | more than 8 years ago | (#14867104)

Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!

Many other studies and most programmers experiance shows that there is a high likelyhood of introducing a bug whenever you make a change to existing code, In fact on a per line of code written basis "fixes" are about the buggyist code you can write. So if you have .3 bugs per KSLOC (Kilo lines of code) in mature code like Apache orthe Linux kernal the new stuff that fixes a bug might have three times as many bugs per line. But the bug fix is typically small, many time just one to four lines so you do make projess. Over tiome the "defect rate" falls. Graphically it is a curve to reaches zero at infinity.

"Everyone" knows the above so after even a triveal fix you test the heck out of the system then put it though a long beta cycle. Well, at least the projects that have some kind of process in place do this. But note that all the "best" OSS systems sdo have a very strong and well ordered developent process. I'd say the low bug rate is due to the process. The best they can do is make incremental tweeks to the process and wait. At infinity the bug rate will in fact reach zero, or so says the theory.

And for Windows XP? (0, Troll)

Bad Boy Marty (15944) | more than 8 years ago | (#14866507)

That's the stat I want to see....

Re:And for Windows XP? (1)

NitsujTPU (19263) | more than 8 years ago | (#14866636)

If you were really pro open source, rather than anti-Microsoft, you'd probably not care.

Seriously, the "at least it's not Microsoft" argument shouldn't impress anybody. The desire to put out a superior product, period, should be motivation enough to undertake something along these lines.

Re:And for Windows XP? (1)

Bad Boy Marty (15944) | more than 8 years ago | (#14866713)

No, you missed my point. I'd just love to see a *fair* comparison w.r.t. the number of bugs per KLOC.

As for "the desire to put out a superior product", what does that have to do with Microsoft?

Re:And for Windows XP? (1)

NitsujTPU (19263) | more than 8 years ago | (#14866762)

What I mean is, why live for such comparisons? Does it have to be about beating Microsoft, or using them as a bar to jump over?

Even if it is, would you consider this an objective metric? Everybody knows that the kloc is, at best, an informal estimate of effort. Perhaps the Microsoft code does in 5 lines what the Open Source code does in 150. There are no bugs in those 5 lines, but 5 in the 150. The 150 line implementation implements an algorithm that runs in poly time, but the 5 lines run in exponential, what's the better code?

The LAMP devs _have_ to write secure code. (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14866518)

After all, that stuff's running most of the Internet.

Counting Defects (2, Interesting)

RasendeRutje (829555) | more than 8 years ago | (#14866534)

How can one ever count the defects/bugs per line?
And why count them, and then not remove them?
And one huge defect is better than more than one small ones?
Sounds like a crappy research to me, time to RTFA.

Re:Counting Defects (0)

Anonymous Coward | more than 8 years ago | (#14866700)

guess they had to come up with something so they could claim their >$1M funding.

Re:Counting Defects (3, Interesting)

Pedro Sobota (959537) | more than 8 years ago | (#14867140)

Very Bad, and I have seen a US Defense - contracted software company (they even do helicopter systems) on their website extensively touting their 'lower defects per line of code (DLC)' methodology. Marketing.

Can the source code analysis tool... (0)

Anonymous Coward | more than 8 years ago | (#14866542)

...be run on itself to see how many bugs it has?

http://scan.coverity.com/ - highest/lowest (2, Interesting)

digitaldc (879047) | more than 8 years ago | (#14866565)

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

Just an FYI...AMANDA had the highest amount of bugs at 1.214 Defects / KLOC and OpenVPN the lowest at 0.100 Defects / KLOC.

YEAH RIGHT! (4, Insightful)

suso (153703) | more than 8 years ago | (#14866587)

Also from the article: The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

Being someone who has used Amanda for many years and also XMMS, I find it hard to believe. Amanda has few problems (unless its the tape drive itself) and XMMS crashes sometimes when you just push a button in the "wrong way".

I think there can be a big difference between actual number of bugs and the perceived number of bugs. This almost makes counts like this useless for actually comparing software.

It is simple really (1)

SmallFurryCreature (593017) | more than 8 years ago | (#14867355)

Who says that when XMMS crashes it is XMMS'es fault?

It could be one of its library's. XMMS source code doesn't give you the player (or at least not one that will do anything) if you used gentoo or LFS you would know this.

Oh and bugs != programming errors or design flaws. Even if you elimenate all the bugs you could still have a program that blows up your cat when you try to save a file. It will just do it without any bugs getting in the way. Wich is a good thing. Unless your the cat.

Do slashdot editors even read the site? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14866569)

yeah, not really.

What about.... (0, Troll)

Lord Jester (88423) | more than 8 years ago | (#14866605)

Micro$oft systems? I think M$ should open to the same analysis of Windows/IIS/MSSQL/ASP.Net to see where they stand.

Re:What about.... (0)

Anonymous Coward | more than 8 years ago | (#14866664)

Excuse me? I believe you mean "Window$/II$/M$$QL/A$P" You're giving Lunix zealotry a bad name.

Umm... Way to go Department of Homeland Security? (3, Insightful)

Wannabe Code Monkey (638617) | more than 8 years ago | (#14866607)

I have to say, I'm suprised and impressed... a $1.2M grant to harden open source software? Thanks all seeing orwellian eyeball. I don't recall slashdot posting anything about the original grant but here's a link from the posted article to another about the funding [zdnetasia.com].

The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

Re:Umm... Way to go Department of Homeland Securit (1)

moe.ron (953702) | more than 8 years ago | (#14866753)

FTF(linked)A:

The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said. "It is regrettable that DHS has decided once more to ensure that private enterprise profits from the funding, while the open-source developers are left to beg for the scraps from the table," he said. "Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"

I new I'd find a little truth in there somewhere!

0.00 defects per infinity lines of code (3, Insightful)

mwvdlee (775178) | more than 8 years ago | (#14866612)

If an automated system can detect bugs in code, why can't it fix them automatically too?

Re:0.00 defects per infinity lines of code (0)

Anonymous Coward | more than 8 years ago | (#14866751)

It's obvious that you are not a programmer.

Finding bugs is 1 thing, fixing them is another. Look at the pros/cons of including a debugger in the linux kernel (and take Linus his objections into account).

Building complex software is bloody difficult. Even if you have perfect code, it's still possible that the wrong combination of compiler flags screws everything up.

Re:0.00 defects per infinity lines of code (1)

Kuvter (882697) | more than 8 years ago | (#14866781)

If an automated system can detect bugs in code, why can't it fix them automatically too?

Because then the computer would have to think and having a computer think is bad! Basically it'd have to 'guess' what you meant to code the section as and then pick one and go with it. If it picked the wrong one you might now be saving to the wrong place or running code you didn't intend on having created.

Re:0.00 defects per infinity lines of code (1)

Short Circuit (52384) | more than 8 years ago | (#14866790)

How do you fix a bug of ambiguity? Consider this line of code.

if (a = b) {func()};

Was the purpose to compare a to b, and call func() if true? Or was it to set a to b, and call func() if b was true?

Re:0.00 defects per infinity lines of code (1)

fossa (212602) | more than 8 years ago | (#14866915)

Is that considered a bug? From what I recall, it will compile fine; a bug checker should not list that as a bug. Now, I believe GCC will warn you "recommend parens around truth value" or something like that, which should be noticed by the programmer if it indeed wasn't supposed to be an assignment plus truth check but was meant to be a comparison. I don't think anything can detect logic errors like "if (bread_is_done_baking) { turn_oven_on() }" (instead of turn_oven_off())...

Re:0.00 defects per infinity lines of code (1)

Short Circuit (52384) | more than 8 years ago | (#14866974)

Well, they're technically counting defects. Most programmers I know would assume that the original coder meant "a==b", and change it. So it's considered bad style. Another possible example would be using strcpy() instead of strncpy(); the latter is more secure than the former.

Whether they counted elements of bad style as defects, I don't know. But they certainly couldn't have been looking at behavioral bugs with an automated source-checking system. That requires a user, or something very well-written posing as a user.

Re:0.00 defects per infinity lines of code (0)

Anonymous Coward | more than 8 years ago | (#14866864)

If an automated system can detect bugs in code, why can't it fix them automatically too?

Gees, that's the kind of comment I'd expect on digg. I mean, really, I thought people on /. at least had a clue.

The automated checker can't fix the errors for the same reason it can't write all the code in the first place. The same reason compilers give warning and errors but don't actually fix them. It's computationally hard.

What about... (0, Troll)

moe.ron (953702) | more than 8 years ago | (#14866613)

I would be curious to see the results of the same evaluation on Windows Server 2k3, IIS 7.0, SQL Server 2005, and ASP.NET 2.0-- it would bring a whole new meaning to 'Giving 100%!'

over hyped (1)

Gravis Zero (934156) | more than 8 years ago | (#14866620)

i would like to point out that as far as government programs go, 1.24 million is nothing at all. they pay contractors more money to repave a parking lot! i dont see this as doing any good for OSS itself. perhaps the NSA will get interested and do something but dont hold your breath. on a side note, i dont think MS would ever let them do an automated scan, even if they did it themselves. bad publicity is never good(well duh!).

What about SCAMP? (0)

Anonymous Coward | more than 8 years ago | (#14866628)

You should find SCAMP [sco.com] amusing. Enjoy!

Curious absence of OpenBSD/OpenSSH ... (0)

Anonymous Coward | more than 8 years ago | (#14866701)

It seems odd that OpenBSD does not seem to be a project they monitor (or at least are not publishing stats for it). The OpenBSD project is the most overtly focused group for secure coding,so it would have been interesting to see if all the effort made a difference. OpenSSH would also have been interesting, since it is so used by virtually *everybody*.

Test of Leaked Vista/IIS code (4, Funny)

RealProgrammer (723725) | more than 8 years ago | (#14866703)

Researchers at clandestine research labs in bases hidden deep in the Russian Alps have attempted to analyze portions of the leaked Internet Information Server (IIS) and Windows Vista code for similar flaws.

The findings were remarkable. They found 4,669 flaws, but since they didn't have the source code it resulted in a divide-by-zero error when they calculated the statistics on their Excel spreadsheet. The error triggered an unheard-of lockup on their Windows XP desktop.

On a positive note, recovering from the error alerted them to the presence of 43 strains of the MyDoom virus, 257 instances of Alexis spyware, and a bootleg copy of "Making of the Britney Spears Sonogram".

RE: Automated bug finding (1)

moe.ron (953702) | more than 8 years ago | (#14866706)

Of course this system from Coverity only checks for static source code bugs, and not run-time errors or semantic errors. And even then, not even necessarily real bugs, but "possible" bugs. Sounds more like FxCop than anything else. The real meat of this evaluation was probably done on the Symantec side, which was probably a laundry list of tests for known vulnerabilities.

LA - fine M - okay P - ah so many varieties! (4, Interesting)

Dareth (47614) | more than 8 years ago | (#14866755)

The LAMP stack when broken down consists of:
Linux & Apache - rock solid stable releases.
MySql - Okay, getting better with each release.

P - This is the kicker. Perl, Python, PHP, and more so lately even that R one Ruby & Rails.
We are living in interesting times when we have so much choice... much like the Chinese curse. I do not see as how you can evaluate all of these platforms together in a general fashion. Where is the skew or bias in this study?

Someone on IRC recently was critical of a small website I put together in 2000. It was written in plain html, using frames *gasp*. Many people today do not realize how far web development has come since then.

I love LAMP. (0)

Anonymous Coward | more than 8 years ago | (#14866759)

...and yes, I really do love lamp.

Just Gnome? (1)

Odin_Tiger (585113) | more than 8 years ago | (#14866763)

What about KDE? icewm? XFce? Blackbox? KDE at the very minimum, I would think, was a significant oversight. And why FreeBSD? 'L' is for 'Linux'. It's not 'BAMP'. But so long as they were gonna test BSD, why not OpenBSD, the one that can't speak 3 sentences without yelling mentioning how secure it is? It's awesome to see the government do something like this, but I just have to wonder what their justification was for some of the things they picked.

Re:Just Gnome? (0)

Anonymous Coward | more than 8 years ago | (#14866932)

Justification? In a governmentally funded study? What did you expect, other than politics?!

Re:Just Gnome? (1)

archen (447353) | more than 8 years ago | (#14866964)

I agree with you there. I mean the biggest parts of the puzzle are already solved in a LAMP situation - these are typically proven stable software. Seriously, it's not rocket science to untaint a variable from CGI before you pass a query or do some operation. One good thing this does show however is that using a LAMP sort of solution is going to build on a pretty stable foundation. Personally I find one of the most fustrating things in programing stemms from code that is fine, but bigger problems in the underlying system causing issues.

For the record I use FreeBSD / Postgresql / Lighttpd / Perl .

Guess that would be FLiPP or something

How Estimate Bugs Per LOC? (0)

Anonymous Coward | more than 8 years ago | (#14866799)

How do you estimate the number of bugs per line of code (LOC) when you are unable to prove a program correct?

did they fall back to tracking the actual number of bugs found per LOC? Or did they use an automatic tool which (all which can find only certain types of bugs)?

Point is that, unless you can prove a program correct (practically impossible) there is no way to show that it has no more bugs.

So is this article SPAM for a commercial diagnostic tool that finds bugs?

Security is not a feature, security is design (4, Insightful)

Device666 (901563) | more than 8 years ago | (#14866808)

Security is not a feature, security is design. This ultimely means that security should provide good default values, knowledge about how to prevent buffer underruns/overruns and most importantly knowledge how to use a system. This means that security only will need tools to help a system architect and developer to confront him with his limits of his human brain and have a well documented yet very simple concise system and low speed development cycles.

Open source is great because of the many eyes, knowledge sharing and having nothing to do with corporate tradeoffs (the users have the largest voice. But it stinks in the fact that any noob can make programs which are badly designed and are a serious risk to security, however someone may learn faster form the mindsharing in the open source world. To have a well concise system so much more is needed than just some bugfixes. OSS is just a proof that closed source coorporate software is not good with security, but it isn't proof of sound security.

Most interesting is OpenBSD with it's oustanding default values, it's very own high profile malloc which prevents coders for lot of buffer underrunes/overruns, outperforming other malloc implementations. It has a very high quality of manpages and if you want to do something then you have to RTFM. That's what security should be, other than some less known bugs. I would even suggest that it would be better in the name of security that people would use program derivation (which is a very concise way to do formal verification). PIE and all other solutions maybe look practical, but they don't solve the lacking attention for "secure by design".

I wonder what happen to Tomcat (0)

Anonymous Coward | more than 8 years ago | (#14866843)

I thought Tomcat is pretty important and also widely use OOS.

Will Coverity contribute? (1)

mwilliamson (672411) | more than 8 years ago | (#14866917)

"The company did not give details on the scope of the flaws it found." After all that work reviewing a rather massive amount of code, are they not going to publish detailed results, or at least contact developers? They have their data for the study now. WTF?

Re:Will Coverity contribute? (1)

judmarc (649183) | more than 8 years ago | (#14867062)

It didn't say the company wouldn't give details to the reviewed projects, and in fact Coverity has sent correspondence to the projects earlier this week offering to do just that. See http://kerneltrap.org/node/6299 [kerneltrap.org] re the Linux kernel; similar messages were sent to the other projects.

From the lame-ass-metaphor dept. (2, Funny)

tobiasly (524456) | more than 8 years ago | (#14867036)

"LAMP Lights the Way"?! Was Slashdot acquired by C|Net?

For the love of all that's holy, please drop the hackish high-school-newsletter headlines.

For the rest of us (1)

mal0rd (323126) | more than 8 years ago | (#14867047)

What is there available for this kind of analysis that doesn't cost money to use?

Please don't count bugs per LOC... (0)

Anonymous Coward | more than 8 years ago | (#14867190)

...count bugs per function point instead, otherwise code with lots of whitespace will appear to have less bugs.

Commercial metrics? (1)

XMilkProject (935232) | more than 8 years ago | (#14867274)

Do we have any metrics to compare this to Commercial software quality? I know thats a bit hard to answer, but I'm curious what this same tool has found when used on commercial code.

Maybe someone works for a company that used the tool on their code? Or some results have been published somewhere?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...