Open Source Projects

Study claims that open source software is a security risk

Paul Mah — Tue, 22 Jul 2008 09:06:28 -0400

A study released earlier this week was critical of open source software after evaluating 11 such projects over the course of three months. "Open Source Study--How Are Open Source Development Communities Embracing Security Best Practices?" was put together by Fortify Software, together with consultant Larry Suto to gauge whether open source projects adhere to security best practices.

Various active projects were evaluated to determine their responsiveness to security questions, as well as vulnerability findings, among other metrics. Application server Tomcat came up tops, though all the other projects gave a dismal showing. Jacob West, manager of Fortify's security research group, summed up what he thinks of the problem: "In two-thirds of these cases, you didn't get a response at all."

To read up more on the security risks of open source software:
- check out this Network World article

Cisco leans towards open source

Paul Mah — Tue, 27 May 2008 03:45:17 -0400

Cisco Systems has announced a new messaging protocol called Etch, designed to allow developers to integrate client/server applications without the overhead common to traditional protocols such as SOAP. It also was created to be language, platform and transport agnostic. Initial release will support both C# and Java, with implementations for Ruby, Python and C expected to be available in the near future. Integration into Microsoft's Visual Studio or the Eclipse project will be included.

The hidden gem in the announcement is that Etch will be open-sourced, though Cisco is still trying to decide which license to use. Coming from Cisco, this could well herald a new wave of open source projects spearheaded by traditional proprietary-systems vendors.

For more on Cisco's new messaging protocol:
- check out this CIO.com article

Number of open-source code defects going down

Paul Mah — Fri, 23 May 2008 05:54:22 -0400

The results of a two-year study commissioned by the Department of Homeland Defense (DHS) on the quality of programming code in open-source projects have been released. The entire audit was founded on concerns that open-sourced software, though widely deployed, was never subjected to a systematic audit. On that basis, a budget was allocated in 2006 to specifically develop automated static analysis tools to vet open-sourced projects.

The results were gratifying. From an average of 0.30 defects per thousand lines of code (LOC) in 2006, the average defect density has fallen to 0.25 defects per thousand LOC. This represents a 16 percent reduction of defect density achieved over a span of just two years--a notable gain in quality. Obviously, there is no easy way to determine just how "exploitable" each flaw was, though the DHS's original goal to harden open-source applications seems to be achieved.

For more on this DHS-sponsored audit:
- check out this Ars Technica article