Secure Coding mailing list archives
Open Source Code Contains Security Holes -- Open Source -- InformationWeek
From: ken at krvw.com (Kenneth Van Wyk)
Date: Thu, 10 Jan 2008 08:18:14 -0500
SC-L, I imagine many of you have seen the results of Coverity's DHS-funded scan of a *bunch* of open source projects: http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_All The stats are interesting, I suppose. I don't see any prioritization of the defects, but I imagine those were provided to the various open source project leaders. The question that isn't addressed here, and I'm sure was well outside of the scope of the project, is what each open source project *did* with the vulnerability information BEYOND just fixing the bugs? Did they merely fix the problems and move on? Or, did they use the defects as an opportunity to educate their team members on how to avoid these same sorts of things from creeping back in to the src tree? If they simply treated the vul lists as checklists of things to fix, then I'd expect a similar study in (say) five years to be just as bad as the recent Coverity study. I think it's important to learn from mistakes, not just fix them and get on with things. I sure hope the open source teams in this study did some of that. If any SC-Lers have insight here, please share. Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2500 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20080110/e0772486/attachment.bin
Current thread:
- Open Source Code Contains Security Holes -- Open Source -- InformationWeek Kenneth Van Wyk (Jan 10)
- Open Source Code Contains Security Holes -- Open Source -- InformationWeek Gary McGraw (Jan 10)
- Open Source Code Contains Security Holes -- Open Source -- InformationWeek Steven M. Christey (Jan 10)