The results [1] of a two-year study commissioned by the Department of Homeland Defense (DHS) on the quality of programming code in open-source projects have been released. The entire audit was founded on concerns that open-sourced software, though widely deployed, was never subjected to a systematic audit. On that basis, a budget was allocated in 2006 to specifically develop automated static analysis tools to vet open-sourced projects.
The results were gratifying. From an average of 0.30 defects per thousand lines of code (LOC) in 2006, the average defect density has fallen to 0.25 defects per thousand LOC. This represents a 16 percent reduction of defect density achieved over a span of just two years--a notable gain in quality. Obviously, there is no easy way to determine just how "exploitable" each flaw was, though the DHS's original goal to harden open-source applications seems to be achieved.
For more on this DHS-sponsored audit:
- check out this Ars Technica article [2]
Links:
[1] http://www.coverity.com/html/user_registration.php?doc=Coverity-Scan_Open_Source_Report_2008.pdf
[2] http://arstechnica.com/news.ars/post/20080521-dhs-sponsored-audit-number-of-oss-code-defects-dropping.html