ZDNET: LAMP lights the way in open-source security

[mgavin at forrester.com (Gavin, Michael)]

The Coverity product (Coverity Prevent) is a static source code analysis
tool for C and C++, see
http://www.coverity.com/library/pdf/coverity_prevent.pdf.

It isn't actually scanning (or if it is, it isn't analyzing) any of the
scripting code, as far I as can tell.

Michael

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth R. van Wyk
Sent: Tuesday, March 07, 2006 10:56 AM
To: Secure Coding Mailing List
Subject: [SC-L] ZDNET: LAMP lights the way in open-source security 

Interesting article out on ZDNet today:

http://www.zdnetasia.com/news/security/0,39044215,39315781,00.htm

The article refers to the US government sponsored study being done by
Stanford University,
Symantec, and Coverity.  It says, "The so-called LAMP stack of
open-source software has a
lower bug density--the number of bugs per thousand lines of code--than a
baseline of 32
open-source projects analyzed, Coverity, a maker of code analysis tools,
announced Monday."

This surprised me quite a bit, especially given LAMP's popular reliance
on scripting
languages PHP, Perl, and/or Python.  Still, the article doesn't discuss
any of the root
causes of the claimed security strengths in LAMP-based code.  Perhaps
it's because the
scripting languages tend to make things less complex for the coders (as
opposed to more
complex higher level languages like Java and C#/.NET)?  Opinions?

Cheers,

Ken
-- 
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com


_______________________________________________
Secure Coding mailing list (SC-L)
SC-L at securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php