Defense in Depth Subscribe to Defense in Depth
January 8, 2008 7:10 AM PST

11 open-source projects certified as secure

Posted by Robert Vamosi

Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.

Eleven projects made the list: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

San Francisco-based Coverity, working in collaboration with Stanford University and under a contract from the Department of Homeland Security, is analyzing source code to certify that open-source projects written in C, C++, and Java are secure. Coverity has not disclosed the amount of the DHS contract.

The certification was created so that companies can "select these open-source applications with even greater confidence," Coverity said.

The company uses a ladder metaphor in its certification process.

Rung 2, which was announced late Monday and is the most secure level to date, includes the 11 projects. Rung 1 now includes 86 projects. Rung 0, the lowest level, currently lists 173 projects.

In all cases, open-source vendors must fix all vulnerabilities discovered by Coverity's tools in order to move up the rungs of the security ladder.

Recent posts from Defense in Depth
Yahoo e-mail accounts compromised for spammers' use
Skeleton key unlocks Microsoft SQL servers in latest Web attack
Web browsers and other mistakes
Goodbye Storm, Hello Srizbi
Microsoft serves law enforcement free COFEE
Add a Comment (Log in or register) 3 comments (Page 1 of 1)
Potentially secure
by Astinsan January 8, 2008 8:56 AM PST
Most of these items have the potential of being secure. A improper setting Postfix, php and perl can be disastrous. I know you were really talking about the source code though. Mature projects are usually pretty good.
Reply to this comment View reply
Sec Code != Sec App
by the osd guy January 9, 2008 3:20 PM PST
What about design flaws? What about info disclosures? What about denial of service issues? What about unxepected parse failures? What about ... There is more to secure applications than making sure ur buffers are correctly sized. Static analysis cant fully guarentee that and fuzz testing can only verify the product is as reliable as the fuzzer's randomizor logic.
Reply to this comment
Powered by Jive Software
advertisement

  • About Defense in Depth

  • With over eight years at CNET covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews with the top security researchers making the news as well as offering the hands-on, non-technical advice you'll need to stay safe online.

Add this feed to your online news reader
Google
Yahoo
MSN

Defense in Depth topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Iconoclast by Declan McCullagh Exploring the intersection of politics and technology.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On TV.com: MILEY CYRUS photographs
Advanced
search
advertisementUnlimited long distance $24.99/mo
Advanced
search
Visit other CNET Networks sites: