ZDNET: LAMP lights the way in open-source security

[crispin at novell.com (Crispin Cowan)]

Gavin, Michael wrote:
> Yeah, statistics can allow you to say and "prove" just about anything.
>
> OK, showing my ignorance here, since I haven't checked out any of the
> LAMP source trees and reviewed the code: how much of the code making up
> those modules is written in scripting languages vs. how much of it is
> written in C, C++ (and how much, if any, is written in any other
> compiled languages)?
>   
That doesn't matter; what matters is what fraction of disclosed
vulnerabilities is in each segment of the code? If 90% of the
vulnerabilities come from the PHP part, then the fact that 90% of the
lines of code are in C doesn't help.

> If the LAMP source code itself is primarily C/C++, then arguably, the
> results are somewhat interesting, though I think they would be much more
> interesting if this DISA project was set up to test the open source code
> with a number of commercial scanners instead of just the Coverity
> scanner, then we could at least compare the merits of various scanning
> techniques and implementations.
The proprietary status of the Coverity scanner is a continuous pain.
That's why I tend to ignore it where possible :)

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
        Olympic Games: The Bi-Annual Festival of Corruption