RSSDHS finds flaws in 180 open source software projects
By Jacqueline Emigh | Published January 10, 2008, 6:59 PM
Is Linux and open source software really more 'secure' than commercial software products? Maybe, yet maybe not. The US Dept. of Homeland Security and two research partners have now detected significant flaws in Samba, Python, Perl, and about 180 other open source projects -- but fixes are on the way.
Although some have claimed that Linux and other open source projects are more "secure" than commercial software, a bug-finding program sponsored by the US Department of Homeland Security (DHS) has now discovered significant flaws in 180 different open source software projects.
Conducted for the DHS by Coverity and Stanford University, the DHS's Open Source Hardening Project has been analyzing code for potential security vulnerabilities and quality defects in 250 different open source projects since 2006.
The 250 projects analyzed produce some of the world's most popular open source applications, including the Linux operating system; the Apache Web Server; the Firefox Web browser; and Samba, an open source implementation of Server Message Block (SMB), a protocol used by Microsoft Windows for file and print services.
One of the reasons why open source software is sometimes viewed as more secure is that the code is created by teams of developers from multiple organizations -- some of them volunteers -- who work collaboratively, sharing applications and bug fixes.
Nevertheless, out of the 180 projects found by Coverity to have significant defects, only 11 of them have so far been advanced by Coverity to the second stage of bug cleansing, dubbed "Rung 2," with some others expected to reach that level within the next few months.
The 11 projects now being graduated to Rung 2 include Samba; Amanda; Perl; Overdose; OpenVPN; OpenPAM; PHP; Postfix; TCL; Overdose; NTP; and Python.
Other projects, however, are still either at Rung 1 in the process, or even worse, at Rung 0, meaning that they haven't even gotten started yet on bug fixing.
Open source development is especially widespread in government, partly because of cost, but also because government agencies can be especially sensitive to avoiding vendor lock-in. And this isn't the first time that a federal agency has gotten involved in trying to bolster software quality and security.
Over the years, a number of "hardened" Linux distribution and kernels have been created for use in government agencies and other high security environments. One of these, seLinux, was spearheaded by the National Security Agency (NSA), for example.
Now, another federal government agency -- the National Institute of Science and Technology (NIST) -- is reportedly working with the University of Texas, Arlington on readying a new approach to open source flaw detection, known as "combinatorial testing."
The new approach is aimed at saving time for developers by generating tests to explore interactions among all of the various settings -- such as "on" and "off" -- of multiple variables related to software commands.
Combinatorial testing is foreseen as especially useful in improving the security and functionality of Web sites, interactive voice response (IVR) systems, industrial process controls, and other software applications with lots of different variables.
Researchers at NIST and the University of Texas reportedly plan to release the new testing tool early this year, after a period of beta testing.
And 150 of these flaws are related to not having secret back doors to sniff out hostile activities? :)
Score: 0
|And this from a republican administration that cannot even keep emails. Yeah, right.
Score: 0
|Are we actually going to believe anything these guys say? After all, they're not really all that competent to begin with.....
Score: 0
|*laughs*
Yeah, bunch of bumbling idiots. I'm sure we'd all rather live in Canada...
/sarcasm (just in case the sarcasm doesn't translate...)
Score: 0
|Having seen some of their audits first hand and the fact that the audit was done by Coverity and Stanford University; yes, I do believe them.
Score: 0
|Ouch, the stupid, it burns!
Score: 0
|You rip on on Republicans and troll me.
That all you got, momma's boy?
Score: 0
|At least no one is fling planes into our buildings. Your trillions spent already on national defence sure proved itself money well spent then. And of course we do have a much higher quality of life than you do, but than again so do most other Western nations as well. But hey, we're all rotten commies anyways..... At least you're "free", as long as you can afford to be that is.. [smiles]
[Note: real sarcasm]
Score: 0
|I doubt that even your mother likes you all that much...
I see that the current lot of republicans, running for president, are offering nothing new but the same old failed policies that Reagan used to quadruple the national debt in only 8 years. To continuously repeat the same mistakes over and over again is pure insanity. And I see that Ron Paul is showing his true libertopian colors as well with what is coming out about his racist remarks from his newsletter.
There are things that the private sector was never meant to control. This is why you have such a low quality of life when compared to most other Western nations.
Score: 0
|Want to buy a bridge?
Score: 0
|If it wasn't for Reagan the USA would have become a new Africa thanks to the Democrats and their taxes and chaos-driven politics.
Score: 0
|I agree, Ron Paul is an idiot (dons flame-proof gear in prep for the Ron Paul fanaatics).
You should love him, you'd be in good company.
The rest is BS. You have no understanding of politics or economics if you think Reagan failed.
Score: 0
|"Higher quality of life"
Sorry, but that statistic doesn't carry much weight when you consider the cost. They base the majority of that on the availability of "universal" healthcare.
Sure, we could have it. We could wait three months to have an abscess tooth removed. We could even manage the pain ourselves with marijuana while we wait. But ya know, we'd rather just get it fixed. :)
You can keep your wildly inaccurate standards. We'll stick with our own. :p
Score: 0
|You imply the audits are inaccurate.
Got proof?
/silly question...
Score: 0
|Obsessed much?
Score: 0
|He's not obsessed. He just doesn't have anything better to do.
Sad, isn't it?
Score: 0
|I'd have to agree-- wait months in line to be finally seen by some underpaid third world doctor...and just about everything else sucks up there: from climate to uber pricing of drinks & broadband(in both categories you pay more while getting less).
One notable exception: gambling... but even then, there are some restrictions / it's freer in other countries.
For the record:
1. i like Canadians very, very much... i feel their pain tremendously.
2. yes, politicos have greatly sullied the US... but we don't certainly don't hold the patent & exclusive rights to that.
Score: 0
|Agreed. Plus which Dem President has been decent in the past half-century... even worse, which of the current crop of BS'ing Dems would even do a half-assed job?
Score: 0
|There's a side of me that is morbidly curious as to how incredibly hosed this country could get under Hillary's heel.
Score: 0
|It's easier to find flaws in open source programs, and at the same time they can be fixed faster. That's the reason why I'm using only open source. The applications are updated faster with hotfixes and also with new features.
to ian: i agree with you on the new betanews interface... but i hope it will be used only during the ces. as you see fileforum has the same layout
Score: 0
|So which is it... this article says it is not secure but samba.org front page has link to cNet article saying Coverity certified the 11 projects in Rung 2 as secure, free from defects, opposite of this article. At least that's how I read this.
http://www.news.com/8301-10789_3-9843682-57.html
Score: 0
|BTW, NIST = National Institute of Standards and Technology
WOW! Betanews is going so downhill; and with this new layout I'm about ready to delete my account, already stopped visiting regularly.
Score: 0
|I'm hoping this layout is temporary for CES coverage. The right column is pretty much wasted. I didn't see any reason to change their look; the features I'd want to see is better comment (discussion) handling and maybe user contributed related links... like "hey! if you like this try..." or an Amazon-ish "People who looked at this app also downloaded..." or a watch list to tell you there's a new version of an app you like.
Score: 0
|Indeed. It's really painful to visit BetaNews now. The home page is badly designed. Should look for another place to read news and look for new software.
Score: 0
|I NEVER visit the homepage. I use the RSS feed to see which article I want to read. The layout change hasn't impacted me. I don't really like it, but it hasn't changed the way I read.
Score: 0
|Same here.
Score: 0
|This layout is permanent. A betanews employee already stated this on another thread earlier in the week. They are going to work out the kinks in time... but it will basically look like this... so we gotta get used to it :(
Score: 0
|I agree. Its too loud on the eyes now.
Score: 0
|i use RSS too but this layout isn't much to my liking either. I wrote an email requesting a reply kindly and got no response. I wasn't at all insulting, I just don't "like" this layout. It's not an improvement on the old one :\
Score: 0
|My bot watches articles I'm interested in for new comments, and I read via RSS. I still hit the homepage though. Not a fan of the new style, but I do like the cleaner "tabs" at the top.
Score: 0
|Wow thats a funny little lie.
Score: 0
|Your bot?
Care to share with the rest of the class? Post in the fileforum. :p
...you know you want to....
Score: 0
|No, it's not.
Ed stated in an earlier thread, in a reply to myself, that the CES format was going to be permenant.
I am sure that at the time, to the best of his knowledge, that was correct. I am also pretty sure the flood of negative comments regarding the new design probably helped push them back to the old one, perhaps to try again with a slightly less dramatic change later on.
Score: 0
|This is a significant move by the Federal agencies to help improve the quality of open source products. Let's make world a better place with Open Source.
Score: 0
|