ZDNET: LAMP lights the way in open-source security

[gem at cigital.com (Gary McGraw)]

Hmm.

Time to no longer use flawfinder, RATS, and ITS4.  Throw them out and get a real tool.

I cover this in gory detail in chapter 5 of Software Security.  There's a pretty nice treatment of the history of these 
tools and the evolution of technology there.

gem
www.swsec.com
www.cigital.com/~gem

 -----Original Message-----
From:   Gavin, Michael [mailto:mgavin at forrester.com]
Sent:   Tue Mar 07 16:40:00 2006
To:     Crispin Cowan
Cc:     Jeremy Epstein; Secure Coding Mailing List
Subject:        RE: [SC-L] ZDNET: LAMP lights the way in open-source security


-----Original Message-----
> From: Crispin Cowan [mailto:crispin at novell.com]
>
> Gavin, Michael wrote:
> > Yeah, statistics can allow you to say and "prove" just about
anything.
> > OK, showing my ignorance here, since I haven't checked out any of the
> > LAMP source trees and reviewed the code: how much of the code making
up
> > those modules is written in scripting languages vs. how much of it is
> > written in C, C++ (and how much, if any, is written in any other
> > compiled languages)?
> >   
> That doesn't matter; what matters is what fraction of disclosed
> vulnerabilities is in each segment of the code? If 90% of the
> vulnerabilities come from the PHP part, then the fact that 90% of the
> lines of code are in C doesn't help.

[Gavin, Michael] Absolutely true! But from the perspective of improving
static source code analysis tools, if 90% of the code is in C, which is
one of the 2 languages supported by the Coverity product, then we now
have one reasonable data point regarding how well that (moderate amount
of) C code was written with respect to one vendor's
notion/implementation of secure coding in C.

Certainly not a huge win for anyone, but a potential starting point for
comparing techniques and products. For example, I haven't been following
the status of David Wheeler's flawfinder, but even if that hasn't been
updated lately, it might be interesting to see which flaws it finds that
Coverity found, which Coverity found that flawfinder doesn't, and which
flawfinder finds that Coverity didn't. Unfortunately your comment below
regarding the proprietary nature of Coverity makes such a comparison
less useful for everyone but Coverity...

> > If the LAMP source code itself is primarily C/C++, then arguably, the
> > results are somewhat interesting, though I think they would be much
more
> > interesting if this DISA project was set up to test the open source
code
> > with a number of commercial scanners instead of just the Coverity
> > scanner, then we could at least compare the merits of various
scanning
> > techniques and implementations.
> The proprietary status of the Coverity scanner is a continuous pain.
> That's why I tend to ignore it where possible :)
>
> Crispin
> -- 
> Crispin Cowan, Ph.D.
http://crispincowan.com/~crispin/
> Director of Software Engineering, Novell http://novell.com
>       Olympic Games: The Bi-Annual Festival of Corruption


_______________________________________________
Secure Coding mailing list (SC-L)
SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php




----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------