Thursday, May 22, 2008

Is Open Source software safe and secure?

It’s a big question: how trustworthy is the software I use on my computer? When it comes to open source, can you trust the quality of programmers who work for free? You can, according to a new report out this week – which also proves major open source offerings to be especially well written. It equally shows up the projects which are slow to respond to vulnerabilities.

One argument for open source has always been that you have inherently more security because anyone can examine the underlying program code and verify it does what it ought to be doing. But then, does this really mean anything for non-programmers? In one sense, you’re still depending on the word of others; open source does remove a major barrier by giving you the program code but that’s only part of the puzzle. You also need both the time and the expertise to analyse it.

Here’s where Coverity come in. They are a commercial code analysis company which began at Stanford University. Coverity have been running a project called Scan for two years with funding provided by the Department of Homeland Security in line with its own objectives to harden open source apps. This week Coverity released their Open Source Report for 2008. This report is interesting stuff; it draws on two years’ worth of data from over 250 significant C/C++ open source projects – like PHP, Perl, Python and Samba, all veritable household names (albeit in a fairly geek household.)

Read More Article...

No comments: