Secure Coding mailing list archives
ZDNET: LAMP lights the way in open-source security
From: crispin at novell.com (Crispin Cowan)
Date: Tue, 07 Mar 2006 12:59:50 -0800
Gavin, Michael wrote:
Yeah, statistics can allow you to say and "prove" just about anything. OK, showing my ignorance here, since I haven't checked out any of the LAMP source trees and reviewed the code: how much of the code making up those modules is written in scripting languages vs. how much of it is written in C, C++ (and how much, if any, is written in any other compiled languages)?
That doesn't matter; what matters is what fraction of disclosed vulnerabilities is in each segment of the code? If 90% of the vulnerabilities come from the PHP part, then the fact that 90% of the lines of code are in C doesn't help.
If the LAMP source code itself is primarily C/C++, then arguably, the results are somewhat interesting, though I think they would be much more interesting if this DISA project was set up to test the open source code with a number of commercial scanners instead of just the Coverity scanner, then we could at least compare the merits of various scanning techniques and implementations.
The proprietary status of the Coverity scanner is a continuous pain. That's why I tend to ignore it where possible :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption
Current thread:
- ZDNET: LAMP lights the way in open-source security Kenneth R. van Wyk (Mar 07)
- <Possible follow-ups>
- ZDNET: LAMP lights the way in open-source security Gavin, Michael (Mar 07)
- ZDNET: LAMP lights the way in open-source security Jeremy Epstein (Mar 07)
- ZDNET: LAMP lights the way in open-source security Gavin, Michael (Mar 07)
- ZDNET: LAMP lights the way in open-source security Jeff Williams (Mar 07)
- ZDNET: LAMP lights the way in open-source security Crispin Cowan (Mar 07)
- ZDNET: LAMP lights the way in open-source security Gary McGraw (Mar 07)
- ZDNET: LAMP lights the way in open-source security Gavin, Michael (Mar 07)
- ZDNET: LAMP lights the way in open-source security Gary McGraw (Mar 07)