It's no secret that the U.S. government, as most businesses are today, is a big consumer of open source. The question is,
as more and more critical projects begin to rely on community-contributed code, how can the government be sure that the software
it's using meets its own standards for security and reliability?
"You've got a lot of [government] departments that are using open source," says Rob Rachwald, senior director of marketing
at Coverity , a maker of static software analysis tools. "There's millions and millions of lines of code. And unless you get some sort
of automated way to keep it under control and understand what the defects are, where the vulnerabilities might be, and a way
to cleanse it, it just gets out of control."
So last week the Department of Homeland Security (DHS) took action, issuing a grant of $1.24 million to be shared between Coverity, Stanford University, and security vendor Symantec. The Stanford team, working
under associate professor Dawson Engler (himself a co-founder of Coverity), will develop a system to audit the most popular
open source applications for software defects, using security intelligence from Symantec and Coverity's testing software.
In traditional software QA testing, analysts run a set of test cases against their application and note whenever bugs, crashes,
or unexplained behaviors occur. With static analysis tools such as Coverity's, on the other hand, the application is never
executed. Instead, the tools work by examining the program code itself. For example, if a programmer wrote a routine that
allocated memory but forgot to write code to release those resources when they were no longer needed, Coverity's tools would
identify that defect by examining the source code.
"What Coverity's looking for is logical, structural flaws in the programs," Rachwald says. "If you wrote an algorithm and
you input two numbers, 1 and 1, and the result comes out to 3, that's not something that we'll check for. The developers within
a company have to make sure their algorithms work."
But although static analysis can't magically create perfect software, Rachwald says this type of testing lets programmers
identify software defects much earlier in the software development process than the traditional runtime method allows. It
also allows them to test a much greater percentage of their code in the same period of time. According to Rachwald, testing
all 750,000 lines of code in the latest version of MySQL would take Coverity only about two hours.
The results of those tests will benefit not just the government, but any organization that relies on open source software
for mission-critical work. Still, Rachwald says, making that defect information available to the open source community could
still present a challenge. He believes that working with individual open source projects to make sure they receive defect
reports in a way that's useful and actionable will be a key role for Coverity in the DHS initiative.
"It obviously doesn't make sense to scan something a hundred times if nobody's going to touch it between those scans," Rachwald
says.
Addressing the defects in open source software is going to take more than just information, however. It's also going to take
money -- which is why this initial DHS grant could be just the tip of the iceberg. As improving the quality of open source
software becomes more and more in the best interests of the U.S. government, expect to see the government increasingly become
not just a consumer of open source, but an active participant.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
