Federal aid helps uncover open source flaws

By SearchSecurity.com Staff 10 Jan 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A security firm working with the U.S. Department of Homeland Security discovered flaws in 11 major open source projects under a two-year-old initiative that rewards developers who quickly address vulnerabilities.

The flaws were discovered and repaired in Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

The code scanning work is being conducted as part of the federal government's Open Source Code Hardening Project. The company set up the Coverity Scan site, which analyzes lines of code in software in more than 250 projects. Coverity said it helped fix over 7,500 software flaws since its launch in March, 2006.

The site aids open source projects by awarding developers for resolving defects. It divides open source projects into levels based on how quickly flaws are addressed. Projects at higher levels receive access to additional analysis capabilities, including static analysis tools and configuration options, Coverity said.

Secure coding: Tech vendors team up for secure software development: A new group of technology vendors, including Microsoft and Symantec, are joining together to raise awareness about the need for more secure code. SANS: New exam program about more secure code The SANS Institute has unveiled a skills assessment and certification exam program designed to test the secure coding skills of software programmers. Group releases Java standards for secure development: The Secure Programming Council is releasing a set of essential skills for Java developers in an effort to improve software security and educate new programmers. Code-scanning tool automates software review at financial firm: An investment advisory company uses Fortify's Source Code Analysis code-scanning tool to help catch flaws and enhance its security in-depth approach.

Currently 173 projects are on level zero, Coverity's lowest level. No representatives of the open source projects have come forward for access to the analysis results. Some projects on this level include the Common UNIX Printing System (CUPS), nmap, a network and port scanner with OS detection, and the RPM package manager used in some Linux distributions.

In November, the scan site began supporting open source Java projects.

"We provide easy-to-manage sets of defects for participants while creating an incentive for them to continue to improve their code," David Maxwell, open source strategist for Coverity, said in a statement.

A number of groups have joined in recent months to encourage developers to produce software with fewer coding errors and better security features.

In October, a group of technology companies, including Microsoft and Symantec formed the Software Assurance Forum for Excellence in Code. The organization plans a series of projects to better educate developers on safe coding practices, whether it's at the university level or in a professional setting.

In March, The SANS Institute announced its Software Security Institute, a program designed to educate and certify developers in secure coding. That group produced four examinations to test developers on specific programming language suites -- C/C++, Java/J2EE, Perl/PHP and .NET/ASP.

In October, SANS said that 23 people earned the certification under the program. Seven demonstrated mastery of secure coding in the C language and sixteen demonstrated that mastery in JAVA.

Sound Off! -

Tags: Secure Software Development,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us