Open source developers apparently don’t adhere to best practices such as using static analysis and conducting regular security audits, found Coverity’s Spotlight report, released Wednesday.
The Coverity Scan service, which is available at no charge to open source projects, helped devs find and fix about 50,000 quality and security defects in code last year.
That number can be attributed in part to continuous improvement, which lets users find previously undetected defects. Also, as projects mature, devs can focus on rooting out new defects. Another factor is that user registration for the Coverity service was quadruple that of 2012, noted Zach Samocha, senior director of products at Coverity.
Coverity in June added its Security Advisor to the Coverity Scan service, which resulted in the discovery of almost 4,000 defects. The Security Advisor includes sophisticated analysis algorithms that help developers find and fix critical Web application security issues.
Of the 4,000 discoveries, almost 2,400 of these were high-severity defects, while 1,330 were low severity, and the remaining 260 or so were medium severity.
Helping Open Source Devs Help Themselves
There have been several highly publicized open source vulnerabilities this year alone, including Heartbleed and Shellshock.
Those two flaws impacted a large number of users because of the widespread implementation of open source software.
“We would like to see more open source projects sign up for the [Coverity Scan] service and incorporate the finding and fixing of defects into their standard process,” Samocha told TechNewsWorld. More than 3,000 open source projects have signed up for the service, but “there are many more.”
Security Advisor can find quality defects in C#, Java, C and C++ code, and it can spot security defects in Java, C and C++, Samocha said.
Since June, Security Advisor has identified 688 OWASP Top 10 issues in 37 open source projects, including big data, network management and blog server projects.
There were 210 insecure direct object references; 139 each of cross-site scripting and cross-site request forgery; and 135 injections of code, including SQL injections. Broken authentication and session management accounted for 43 issues, security misconfiguration 10, sensitive data exposure eight, and missing function level access control four.
Security Advisor has been available on a paid basis to commercial customers for several years now.
Who’s Gonna Take Code Home Tonight?
It’s generally accepted that open source devs write code in their own time as an altruistic act, which raises the question of how they will find the time and energy to incorporate security best practices into their coding.
“There are incredible developers out there spending their evenings and weekends developing great stuff, but … very few of them can afford to dedicate days or weeks dealing with problems and fixing bugs,” Robert Coleridge, CTO of Secure Channels, told TechNewsWorld. “I don’t see any way to fix this at the starving artist level.”
That is why the Heartbleed bug, which was the result of a relatively minor coding error, went undetected. Devs at the OpenSSL Project, which created it, are part-time volunteers with full-time day jobs, and the project lacked the money and manpower to check the code, OpenSSL Foundation President Steve Marquess previously told TechNewsWorld.
It’s Not the Volunteers, It’s the Pros
However, it’s the corporations that use open source software that should shoulder the blame, rather than independent developers.
More than 370 organizations reported confirmed or suspected open source breaches in the past 12 months in a Sonatype survey conducted earlier this year.
“Much open source software is funded by corporations, not just the Red Hats of the world, so people are getting paid to work on these things,” said John Viega, an executive vice president at SilverSky.
“It’s really an economics problem,” he told TechNewsWorld. What’s the value of that additional effort, especially when end customers don’t place a high relative value of security [versus] feature functionality?”
Organizations should ensure they keep track of security vulnerabilities in open source components they use for the life of the product, Kyle Kennedy, CTO of Stealthbits Technologies, told TechNewsWorld. “Visibility into open source components [used in enterprise software projects] is critical for risk assessment and regulatory compliance.”
Since this is 50% ad for Coverity let’s talk about that for a moment. I wonder if it could have found heartbleed, shellshock, or poodle? I’m guessing no for the latter 2 since those were mainly algorithmic problems. And if it found heartbleed I’d again guess that it may find a fair number of false positives since the heartbleed code was correct on the face of it, it had a bounds check but chose the wrong variable for the check.
I’m not for a moment saying there’s not some good value in what Coverity and similar tools do. Just saying that it’s not a silver bullet and getting an OK from a code tester is no indication that the protocol implemented in the code is a secure one.