A security firm working with the U.S. Department of Homeland Security discovered flaws in 11 major open source projects under a two-year-old initiative that rewards developers who quickly address vulnerabilities.
The flaws were discovered and repaired in Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.
The code scanning work is being conducted as part of the federal government's Open Source Code Hardening Project. The company set up the Coverity Scan site, which analyzes lines of code in software in more than 250 projects. Coverity said it helped fix over 7,500 software flaws since its launch in March, 2006.
The site aids open source projects by awarding developers for resolving defects. It divides open source projects into levels based on how quickly flaws are addressed. Projects at higher levels receive access to additional analysis capabilities, including static analysis tools and configuration options, Coverity said.
Currently 173 projects are on level zero, Coverity's lowest level. No representatives of the open source projects have come forward for access to the analysis results. Some projects on this level include the Common UNIX Printing System (CUPS), nmap, a network and port scanner with OS detection, and the RPM package manager used in some Linux distributions.
In November, the scan site began supporting open source Java projects.
"We provide easy-to-manage sets of defects for participants while creating an incentive for them to continue to improve their code," David Maxwell, open source strategist for Coverity, said in a statement.
With the increased focus on secure software development, the demand for code-auditing tools and services has risen. In addition to Coverity, some of the vendors in the market include Veracode, Fortify, and Ounce Labs.
A number of groups have joined in recent months to encourage developers to produce software with fewer coding errors and better security features.
In October, a group of technology companies, including Microsoft and Symantec formed the Software Assurance Forum for Excellence in Code. The organization plans a series of projects to better educate developers on safe coding practices, whether it's at the university level or in a professional setting.
In March, The SANS Institute announced its Software Security Institute, a program designed to educate and certify developers in secure coding. That group produced four examinations to test developers on specific programming language suites -- C/C++, Java/J2EE, Perl/PHP and .NET/ASP.
In October, SANS said that 23 people earned the certification under the program. Seven demonstrated mastery of secure coding in the C language and sixteen demonstrated that mastery in JAVA.