Secure Coding mailing list archives

ZDNET: LAMP lights the way in open-source security

From: mgavin at forrester.com (Gavin, Michael)
Date: Tue, 7 Mar 2006 16:35:30 -0500


-----Original Message-----

From: Crispin Cowan [mailto:crispin at novell.com]

Gavin, Michael wrote:

Yeah, statistics can allow you to say and "prove" just about

anything.


OK, showing my ignorance here, since I haven't checked out any of the
LAMP source trees and reviewed the code: how much of the code making

up

those modules is written in scripting languages vs. how much of it is
written in C, C++ (and how much, if any, is written in any other
compiled languages)?

That doesn't matter; what matters is what fraction of disclosed
vulnerabilities is in each segment of the code? If 90% of the
vulnerabilities come from the PHP part, then the fact that 90% of the
lines of code are in C doesn't help.


[Gavin, Michael] Absolutely true! But from the perspective of improving
static source code analysis tools, if 90% of the code is in C, which is
one of the 2 languages supported by the Coverity product, then we now
have one reasonable data point regarding how well that (moderate amount
of) C code was written with respect to one vendor's
notion/implementation of secure coding in C.

Certainly not a huge win for anyone, but a potential starting point for
comparing techniques and products. For example, I haven't been following
the status of David Wheeler's flawfinder, but even if that hasn't been
updated lately, it might be interesting to see which flaws it finds that
Coverity found, which Coverity found that flawfinder doesn't, and which
flawfinder finds that Coverity didn't. Unfortunately your comment below
regarding the proprietary nature of Coverity makes such a comparison
less useful for everyone but Coverity...

If the LAMP source code itself is primarily C/C++, then arguably, the
results are somewhat interesting, though I think they would be much

more

interesting if this DISA project was set up to test the open source

code

with a number of commercial scanners instead of just the Coverity
scanner, then we could at least compare the merits of various

scanning

techniques and implementations.

The proprietary status of the Coverity scanner is a continuous pain.
That's why I tend to ignore it where possible :)

Crispin
-- 
Crispin Cowan, Ph.D.

http://crispincowan.com/~crispin/

Director of Software Engineering, Novell http://novell.com
      Olympic Games: The Bi-Annual Festival of Corruption

Current thread:

ZDNET: LAMP lights the way in open-source security Kenneth R. van Wyk (Mar 07)
- <Possible follow-ups>
- ZDNET: LAMP lights the way in open-source security Gavin, Michael (Mar 07)
- ZDNET: LAMP lights the way in open-source security Jeremy Epstein (Mar 07)
- ZDNET: LAMP lights the way in open-source security Gavin, Michael (Mar 07)
  - ZDNET: LAMP lights the way in open-source security Jeff Williams (Mar 07)
  - ZDNET: LAMP lights the way in open-source security Crispin Cowan (Mar 07)
- ZDNET: LAMP lights the way in open-source security Gary McGraw (Mar 07)
- ZDNET: LAMP lights the way in open-source security Gavin, Michael (Mar 07)
- ZDNET: LAMP lights the way in open-source security Gary McGraw (Mar 07)