Open Source Code Contains Security Holes -- Open Source -- InformationWeek

[ken at krvw.com (Kenneth Van Wyk)]

SC-L,

I imagine many of you have seen the results of Coverity's DHS-funded  
scan of a *bunch* of open source projects:

http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_All

The stats are interesting, I suppose.  I don't see any prioritization  
of the defects, but I imagine those were provided to the various open  
source project leaders.

The question that isn't addressed here, and I'm sure was well outside  
of the scope of the project, is what each open source project *did*  
with the vulnerability information BEYOND just fixing the bugs?  Did  
they merely fix the problems and move on?  Or, did they use the  
defects as an opportunity to educate their team members on how to  
avoid these same sorts of things from creeping back in to the src  
tree?  If they simply treated the vul lists as checklists of things to  
fix, then I'd expect a similar study in (say) five years to be just as  
bad as the recent Coverity study.

I think it's important to learn from mistakes, not just fix them and  
get on with things.  I sure hope the open source teams in this study  
did some of that.  If any SC-Lers have insight here, please share.

Cheers,

Ken

-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2500 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20080110/e0772486/attachment.bin