Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Coverity Reports Open Source Security Making Great Strides

ScuttleMonkey posted more than 6 years ago | from the patting-yourself-on-the-back dept.

Security 48

Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. "Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL."

cancel ×

48 comments

Sorry! There are no comments related to the filter you selected.

Hi (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22005744)

Hi

Barak Hussein Obama == Muslim (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22005798)

Beware of stealth muslims like Obama - indoctrinated in an Indonesian madrasa!

He hates America. He hates White Folk. He wants to destroy this country!

SO DOES HILLARY CLINTOON (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22006028)

Only Hillary wants to destroy this country by offshoring to India one job at a time! [tata.com]

Note that now that it's an election year, Hillary's Tata Consultancy Services cronies have removed nearly every reference to her from their website. I wonder how many rupees crore they contributed to the ELECT HILLARY '08 campaign?

Re:SO DOES HILLARY CLINTOON (0, Offtopic)

Penguinisto (415985) | more than 6 years ago | (#22007446)

Dude - I did NOT want to know about Hillary's Tatas...

(the mental image... holy crap what a bad evil mental image.... it's like the Janet Reno brain-sear of 1998 all friggin' over again!)

/P

MOD PARENT UP (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22007298)

HE IS A SAND NIGGER JEJEJEEJEJEJ

Reason: Don't use so many caps. It's like YELLING.
Reason: Don't use so many caps. It's like YELLING.
Reason: Don't use so many caps. It's like YELLING.
Reason: Don't use so many caps. It's like YELLING.

What security flaws? (1)

n1_111 (597775) | more than 6 years ago | (#22005800)

Open source has no security flaws, it is perfect and we should all use it.

Re:What security flaws? (1)

Teppic_52 (982950) | more than 6 years ago | (#22006368)

You should have used sarcasm tags, you may not have got modded down then.

Re:What security flaws? (1)

desNotes (900643) | more than 6 years ago | (#22007860)

Microsoft Troll...chek out his post history

Overdose (1)

PetiePooo (606423) | more than 6 years ago | (#22005856)

What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...

Re:Overdose (4, Funny)

PetiePooo (606423) | more than 6 years ago | (#22005924)

What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...

Ah, nevermind. Its a Yahoo! chat client. [sourceforge.net] I should have searched Sourceforge instead...

Re:Overdose (1)

UdoKeir (239957) | more than 6 years ago | (#22006330)

Hmmm... posting that link ought to spike their project activity stats for a couple of days. ;-)

FOSSie bailout by Big Daddy Gubment (0)

Anonymous Coward | more than 6 years ago | (#22006146)

Looks like FOSS's strategy of CONvincing the gub'ment to use FOSS is paying off. Already the Gubment found thousands and thousands of bugs everywhere they looked... but call that "progress". If it were anywhere important (or intelligent)... all those bugs would be a deterent from using it.

FOSS finally found their perfect "customer"... someone who doesn't know any better, and if the application messes up, nobody gets in trouble!

Woohoo!! Let's race to the bottom!

Re:FOSSie bailout by Big Daddy Gubment (0)

Anonymous Coward | more than 6 years ago | (#22007304)

This is probably why all those anonymous posters don't want Negroes around.

Re:FOSSie bailout by Big Daddy Gubment (1)

jvlb (636475) | more than 6 years ago | (#22014730)

Actually, I'd say there's a pretty good possibility the Gov't would ante up just as much, or more, to help fix MS vulns, if MS were as open and cooperative.

Dupe? (2, Informative)

hax0r_this (1073148) | more than 6 years ago | (#22005890)

Is this story different than this one? [slashdot.org]

Re:Dupe? (4, Interesting)

ashridah (72567) | more than 6 years ago | (#22005998)

Yes. It has a positive bias in the title (pro open source) instead of a negative one. We want slashdot to be fair and impartial right....?

ash

Re:Dupe? (1)

EvanED (569694) | more than 6 years ago | (#22006030)

The other one isn't as blatant an advertisement for Coverity? ;-)

Anyone else (4, Funny)

Bloke down the pub (861787) | more than 6 years ago | (#22005896)

Anyone else read that as "Coventry"? Bloody shit-hole, I went there once and nobody spoke to me.

Re:Anyone else (1)

rickb928 (945187) | more than 6 years ago | (#22006256)

No matter where you're from, somewhere else is a bloody shithole.

Except for my hometown. It's the elbow of the Earth. You can see the armpit from there.

Re:Anyone else (1)

networkBoy (774728) | more than 6 years ago | (#22007206)

You live in the sac metro area then?
-nB

Re:Anyone else (1)

rickb928 (945187) | more than 6 years ago | (#22010496)

Actually, a place in Maine... Looks a little like Vermont.

173 Projects NOT being actively scanned (3, Informative)

gQuigs (913879) | more than 6 years ago | (#22005992)

If you are involved in said projects, please contact coverity through the website and get involved. I don't see any reason why a project would not want to have this scan done.

Rung 0: http://scan.coverity.com/rung0.html [coverity.com]

Re:173 Projects NOT being actively scanned (1)

X0563511 (793323) | more than 6 years ago | (#22007388)

At the bottom of the page:

If you have any questions or would like to suggest additional
projects to be added, please email [SNIP]


To get the snipped email, ROT-13 this: fpna-nqzva@pbirevgl.pbz

Re:173 Projects NOT being actively scanned (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22008070)

My project is one of the 173.

Coverity contacted me several months ago. I fixed every issue that they raised and informed them of such. They said thanks and I heard nothing more.

Now they say that my project is in "Rung 0" and they haven't responded to my efforts to contact them. So I really have no idea what is going on; whether they found something new (and unknown to me), or that I'm supposed to be doing something that I haven't done, or what.

Re:173 Projects NOT being actively scanned (0)

Anonymous Coward | more than 6 years ago | (#22035266)

What is the name of your project? There are only a few people that have to deal with a large volume of email and questions. The guys are really nice. Please try and contact him again. I'm sure that he'll respond if he sees your note.

great news (0)

Anonymous Coward | more than 6 years ago | (#22006096)

no one will call php loser now!

Experience with Nmap (4, Informative)

katterjohn (726348) | more than 6 years ago | (#22006112)

I've been working with Nmap for nearly 2 years now; I went over a Coverity scan of the Nmap source code and fixed many possible bugs (mostly NULL dereferences). Coverity has a great interface and documented the bugs well.

What happened to secure by design? (0)

Anonymous Coward | more than 6 years ago | (#22006338)

Oh right, that was just bs from a bunch of zealots.

Re:What happened to secure by design? (1)

kclittle (625128) | more than 6 years ago | (#22007620)

> Oh right, that was just bs from a bunch of zealots.

No, that was wise advise from a bunch of humans. But, wise as they might be, if they handed me code they themselves had written, following their own principles, I'd *still* run Coverity over it.

Re:What happened to secure by design? (1)

hax0r_this (1073148) | more than 6 years ago | (#22007778)

This is exactly why its more secure by design. Its hard to go through the source if you don't have it.

Any real effect? (1)

hey (83763) | more than 6 years ago | (#22006832)

I wonder if this fixes will make any difference in the real world.
I use most of those program and they are already 100% reliable for me.

Re:Any real effect? (1)

Secrity (742221) | more than 6 years ago | (#22007180)

These bugs are not normally noticeable by the user, but some of the bugs may be exploitable.

Re:Any real effect? (1)

chromatic (9471) | more than 6 years ago | (#22007312)

Some of the bugs I've fixed could have been crashers in certain circumstances. They were unlikely cases, but they had potential unpleasantness.

Reliability vs security. (1)

argent (18001) | more than 6 years ago | (#22008094)

Reliability is an indication that certain kinds of security flaws are less likely, yes, but... oh, here, have an analogy on me... your car has never accidentally shifted into reverse, I would assume. Does that tell you anything about whether you can pop the trunk open by whacking the bumper in the right place?

Re:Any real effect? (2, Informative)

iabervon (1971) | more than 6 years ago | (#22009064)

Most of the flaws that Coverity finds are not bugs in the sense of cases where the code does the wrong thing. They are more often areas where the code works as written, but is misleading in some way, such that people working on the code are likely to introduce crashes.

A lot of other flaws they find are cases in which the program crashes cleanly (by dereferencing NULL) in some error case instead of reporting the error. Depending on what sort of program it is and what sort of data error is required to reach that point, it may not matter (e.g., if there's some weird thing the user can do that crashes their mail client, it's not a big deal, because anyone who could do that could also just tell it to quit). But, again, reasonable changes to the code could expose this as a real problem, and having these flaws means that the description of the state of the program that the programmer has to keep in mind in order to only make correct changes is more complicated, and the intended behavior of the program is harder to pick out from the actual code.

And then, of course, there are real issues that they're finding, and these are often difficult to distinguish automatically from things that are just badly written, and it's better to just fix everything that's wrong rather than trying to determine how wrong it is.

Update on the article is posted (4, Informative)

ivoras (455934) | more than 6 years ago | (#22007462)

There's an update on the article here: http://www.informationweek.com/blog/main/archives/2008/01/oops_look_at_th.html [informationweek.com] See also http://lists.freebsd.org/pipermail/freebsd-hackers/2008-January/022854.html [freebsd.org] for discussion on FreeBSD.

Is the Coverity toolkit also open source? (1)

phatvw (996438) | more than 6 years ago | (#22007922)

Seems ironic that you'd test and certify open source software with closed source test code.
So where can you download the source code for the Prevent suite and all its plugins?

The freebsd projects scanner (1)

reiisi (1211052) | more than 6 years ago | (#22009522)

TFriendlyA mentions that the freebsd project uses it's own scanner, and the author of the article seems to think it's a variant of Prevent.

Looking up Prevent on wikipedia indicates that Prevent SQS was derived from the Stanford Checker.

http://en.wikipedia.org/wiki/Coverity [wikipedia.org]

Re:Is the Coverity toolkit also open source? (1)

INT_QRK (1043164) | more than 6 years ago | (#22015206)

This is a huge point! Thank you! So, if DHS would perhaps consider funding, supporting, encouraging, sponsoring, etc., an Open Source project for a software assurance tool set, then such a product could be backed by rigorous peer review from the FLOSS community as well as academia to better ensure validity and continuous improvement. Perhaps Federally Funded Research and Development (FFRDC) Cennters such as Carnegie-Mellon's Software Engineering Institute (SEI) could even be funded for full time CM and repository hosting. Projects could use the FLOSS tool to recursively check code during development, and perhaps an "Underwriters Lab"-like organization could evolve to provide an independent rating based on standards which everyone, having access to the code, can fully assess for themselves. Hey, DHS! Something to think about!

fr1st Psot... (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22008054)

Now if only Coverity would release some code.. (3, Insightful)

Deanalator (806515) | more than 6 years ago | (#22008192)

A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

If DHS spent its money on investing in high quality static analysis plugins for modern (free) development environments, then you would catch all of the old mistakes, and make sure that they did not happen in the future. I just get annoyed when I see how much money goes to these companies whose only concern is treating the symptoms, not the cause, of poor security standards in software development.

Re:Now if only Coverity would release some code.. (1)

epine (68316) | more than 6 years ago | (#22011690)

Coverity is doing what all the firewall vendors do, self-inventing threats and then focusing all the dialog on count statistics. It's almost impossible to find coverage on Coverity in terms of what classes of bugs they detect, and the relative importance of the bugs they find. How many are of the "oh my god" variety? I would hazard a guess somewhere between 1 and 5 percent. This is not a number Coverity wishes to see tracked in public forums, as their effort to inflate total bug counts will inevitably drive this number downward, even if the rate of occurrence in open source projects remains relatively flat.

http://www.firebirdnews.org/docs/coverity_report_6march.html [firebirdnews.org]

BAD_COMPARE
CTOR_DTOR_LEAK ; lameness
DEADCODE
DELETE_ARRAY
FORWARD_NULL
NEGATIVE_RETURNS , lameness
NULL_RETURNS
OVERRUN_STATIC
RESOURCE_LEAK / lameness
REVERSE_INULL
UNINIT
USE_AFTER_FREE
Suggests a wide range of impact. Negative returns: probably harmless 99% of the time. Use after free: I'd be fixing those pronto.

But you can only guess, because Coverity has managed to keep informative coverage thin on the ground.

Here's a post which actually says something:

https://www.securecoding.cert.org/confluence/display/seccode/cp-mapping [cert.org]

Contains a mapping from Coverity checker labels to CERT coding guideline URLs.

Re:Now if only Coverity would release some code.. (1)

nous (62496) | more than 6 years ago | (#22020516)

A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

i have been tracking dawson's work since the very beginning, and i agree with this assessment. apparently one good idea, an awful extension language and a lot of free grad help is a recipe for success, screw open source. what is even more amazing is that engler work remains unchallenged by oss equivalents...

nous

open source vs. closed source security (3, Informative)

solinym (1215798) | more than 6 years ago | (#22008906)

I've collected some arguments about the security of open-source vs. closed source in my online book called "security concepts":

http://www.subspacefield.org/security/security_concepts.html#tth_sEc24.5 [subspacefield.org]

If I've missed any - or if you have any other suggestions - please email me.

I feel like a bit of a whore for posting links to my own ebook, but whores actually get paid. My book is free, so I guess that just makes me a slut. ;-)

Re:open source vs. closed source security (1)

Sanat (702) | more than 6 years ago | (#22010412)

Thanks for sharing the information on Security concepts. It looks nice so far (haven't read it all yet) and it says some things in succinct ways that I have always had a difficult time putting into words.

This document is note worthy and is worth a look.

ehm (1)

towsonu2003 (928663) | more than 6 years ago | (#22009250)

I'm a bit more interested in who were the least in fixing their bugs...

Use a software engineering language instead (0)

Anonymous Coward | more than 6 years ago | (#22010502)

A language designed for software engineers instead of a "coders" would preclude the need for Coverity. Now what language could that be? Why Ada, of course. [adapower.com]

The problems which Coverity exposes, are less likely to occur, in many cases, impossible to occur in a language such as Ada, which was designed from its inception to avoid these problems.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?