Shows Commercial Code Is More Tractable than Open Source Code to Security Standards

By   ISBuzz Team
Writer , Information Security Buzz | Aug 09, 2015 09:00 pm PST

Coverity, the leader in software quality and security testing solutions, has released its annual Coverity Scan Open Source Report. For the first time in this year’s report, it was found that commercial code bases are significantly more secure than open source. This is likely due to a high number of open source security incidents during 2014 and the general inaccessibility of common security tools to open source projects due to limited budgets

Synopsys, Inc. (Nasdaq:SNPS) announced the release of its annual Coverity Scan® Open Source Report. The 2014 report details the analysis of nearly 10 billion lines of source code through the Coverity Scan service and commercial usage of the Synopsys Coverity® Software Testing Platform, the largest sample size that the report has studied to date. For the report, the company analyzed code from more than 2,500 open source C/C++ projects as well as an anonymous sample of commercial projects in 2014. Additionally, the report highlights results from several popular, open source Java and C# projects that have joined the Coverity Scan service since March 2013.

The Coverity Scan Open Source Report has become a widely accepted standard for measuring the state of open source code quality. Since its inception nine years ago, the Coverity Scan service has analyzed billions of lines of code, and as of today has reviewed more than 5,100 open source projects – including C/C++ projects such as Linux, FreeBSD, LibreOffice, Python, PostgreSQL, Firefox and NetBSD, and Java projects such as Apache Hadoop, HBase, Tomcat, Cloudstack and Cassandra. The Coverity Scan service has helped developers find and fix more than 240,000 defects since 2006. As detailed in the new Coverity Scan Open Source Report, nearly 152,000 defects were fixed in 2014 alone – more than the total amount of defects that had been found in the previous history of the service.

Based on static analysis defect density, open source code outpaced commercial code for quality in the 2013 report. This trend continues in 2014; however, this year the report also compared security compliance standards such as OWASP (Open Web Application Security Project) Top 10 and CWE (Common Weakness Enumeration) 25, and found that commercial code is more compliant with these standards than open source code.

Key findings from the latest report include:

  • Defect density(defects per 1,000 lines of code) of open source code and commercial code has continued to improve since 2013: When comparing overall defect density numbers between 2013 and 2014, the defect density of both open source code and commercial code has continued to improve. Open source code defect density improved from 0.66 in 2013 to 0.61 in 2014, while commercial code defect density improved from 0.77 to 0.76.
  • Coverity Scan aids OpenSSL in post-Heartbleed investigation:According to OpenSSL co-founder Tim Hudson, the Coverity Scan service helped to catch newly discovered defects and highlight where other issues like the Heartbleed bug might exist. Since Heartbleed, OpenSSL has fixed 302 defects found by Coverity Scan, and now has a 0.21 defect density.
  • Linux remains a benchmark for static analysis defect density:Since joining the Coverity Scan service in 2006, Linux has retained its commitment to quality, which remains a key focus. During 2014, Linux leveraged the Coverity Scan service to find and fix more than 500 high-impact defects, including resource leaks, memory corruptions and uninitialized variables.

“As a whole, software quality and security are improving, but neither open source nor commercial standards are complete or conclusive enough to catch everything,” said Zack Samocha, director of marketing for the Software Integrity Group at Synopsys. “As software projects are being pushed to market faster than ever before, developers need to balance security with speed. As more of these projects use solutions like Coverity Scan, we expect to see continued improvement in open source and commercial code security throughout 2015.”[su_box title=”About Coverity Scan” style=”noise” box_color=”#336588″]coverityIn 2006, the Coverity Scan service was initiated with the U.S. Department of Homeland Security as a public-private sector research project, focused on open source software quality and security. With the acquisition of Coverity by Synopsys in 2014, Synopsys now manages the project and provides its development testing technology as a free service to the open source community to help them build quality and security into their software development process.[/su_box][su_box title=”About Synopsys” style=”noise” box_color=”#336588″]synopsysSynopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for innovative companies developing the electronic products and software applications we rely on every day. As the world’s 15th largest software company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP, and is also a leader in software quality and security testing with its Coverity® solutions. Whether you’re a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing applications that require the highest quality and security, Synopsys has the solutions needed to deliver innovative, high-quality, secure products.[/su_box]