ZDNET: LAMP lights the way in open-source security

[jeff.williams at aspectsecurity.com (Jeff Williams)]

I'm a strong advocate of static analysis, but drawing conclusions about
overall security based only on these tools is just silly.  Even ignoring the
scripting language problem, these tools simply aren't even looking for many
of the types of problems that cause the most serious risks.  They're great
for assisting a code review or indicating potential design flaws, but not a
great ruler.  At least not yet.

--Jeff

> -----Original Message-----
> From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On
> Behalf Of Gavin, Michael
> Sent: Tuesday, March 07, 2006 12:46 PM
> To: Jeremy Epstein; Kenneth R. van Wyk; Secure Coding Mailing List
> Subject: RE: [SC-L] ZDNET: LAMP lights the way in open-source security
>
> Yeah, statistics can allow you to say and "prove" just about anything.
>
> OK, showing my ignorance here, since I haven't checked out any of the
> LAMP source trees and reviewed the code: how much of the code making up
> those modules is written in scripting languages vs. how much of it is
> written in C, C++ (and how much, if any, is written in any other
> compiled languages)?
>
> If the LAMP source code itself is primarily C/C++, then arguably, the
> results are somewhat interesting, though I think they would be much more
> interesting if this DISA project was set up to test the open source code
> with a number of commercial scanners instead of just the Coverity
> scanner, then we could at least compare the merits of various scanning
> techniques and implementations. In this case, the distinction to me is
> that they have tested the LAMP platform code, not the code that people
> write on top of it for their applications, and are making some
> statements about the software security of the LAMP platform compared to
> the rest of the open source code they scanned.
>
> If on the other hand, a significant portion of the LAMP code base itself
> is made up of scripting language code, then I agree with you, the
> results aren't terribly useful to anyone other than possibly Coverity
> and Stanford. Note: significant is open to interpretation, but doesn't
> have to be large; 10 or 15 per cent would seem significant enough to me.
>
> -----Original Message-----
> From: Jeremy Epstein [mailto:jeremy.epstein at webmethods.com]
> Sent: Tuesday, March 07, 2006 12:17 PM
> To: Gavin, Michael; Kenneth R. van Wyk; Secure Coding Mailing List
> Subject: RE: [SC-L] ZDNET: LAMP lights the way in open-source security
>
> All of which proves that there are lies, damn lies, and statistics (the
> statistic being the lower bug density, which ignores the most
> potentially
> vulnerable parts of the system).
>
> > -----Original Message-----
> > From: sc-l-bounces at securecoding.org
> > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gavin, Michael
> > Sent: Tuesday, March 07, 2006 11:49 AM
> > To: Kenneth R. van Wyk; Secure Coding Mailing List
> > Subject: RE: [SC-L] ZDNET: LAMP lights the way in open-source
> > security
> >
> > The Coverity product (Coverity Prevent) is a static source
> > code analysis tool for C and C++, see
> > http://www.coverity.com/library/pdf/coverity_prevent.pdf.
> >
> > It isn't actually scanning (or if it is, it isn't analyzing)
> > any of the scripting code, as far I as can tell.
> >
> > Michael
> >
> > -----Original Message-----
> > From: sc-l-bounces at securecoding.org
> > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth R. van Wyk
> > Sent: Tuesday, March 07, 2006 10:56 AM
> > To: Secure Coding Mailing List
> > Subject: [SC-L] ZDNET: LAMP lights the way in open-source security
> >
> > Interesting article out on ZDNet today:
> >
> > http://www.zdnetasia.com/news/security/0,39044215,39315781,00.htm
> >
> > The article refers to the US government sponsored study being
> > done by Stanford University, Symantec, and Coverity.  It
> > says, "The so-called LAMP stack of open-source software has a
> > lower bug density--the number of bugs per thousand lines of
> > code--than a baseline of 32 open-source projects analyzed,
> > Coverity, a maker of code analysis tools, announced Monday."
> >
> > This surprised me quite a bit, especially given LAMP's
> > popular reliance on scripting languages PHP, Perl, and/or
> > Python.  Still, the article doesn't discuss any of the root
> > causes of the claimed security strengths in LAMP-based code.
> > Perhaps it's because the scripting languages tend to make
> > things less complex for the coders (as opposed to more
> > complex higher level languages like Java and C#/.NET)?  Opinions?
> >
> > Cheers,
> >
> > Ken
> > --
> > Kenneth R. van Wyk
> > KRvW Associates, LLC
> > http://www.KRvW.com
> >
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L)
> > SC-L at securecoding.org
> > List information, subscriptions, etc -
> > http://krvw.com/mailman/listinfo/sc-l
> > List charter available at -
> > http://www.securecoding.org/list/charter.php
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L)
> > SC-L at securecoding.org
> > List information, subscriptions, etc -
> > http://krvw.com/mailman/listinfo/sc-l
> > List charter available at -
> > http://www.securecoding.org/list/charter.php
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php