Microsoft Switzerland Security Blog

Security informations brought to you by the Swiss Security Team.

Open-source projects certified as secure – huh?

Open-source projects certified as secure – huh?

  • Comments 1
  • Likes

From the Blog of Michael Howard:

I really got a chuckle out of this news item, especially this line:  “Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.”

So we finally have the security silver bullet!
Run this tool on your code, fix the bugs, and you’re secure (and maybe unbreakable?!)? I don’t think so.

There are three big problems with this line of thought:

  • First, the security bugs found are only the security bugs found by the tool, and that list is always smaller than the list of all bugs.
  • Second, it assumes that any new code or code changes are bug free. Which may or may not be true. In my experience, it is rarely true that new code is utterly bug free if you don’t take a holistic, process-oriented view to security.
  • Third, and this is probably the most important, at best the tool understands a subset of today’s vulnerabilities; that could all change tomorrow when a new class of vulnerability or a subtle variant is found.

Full blog post:
http://blogs.msdn.com/michael_howard/archive/2008/01/10/open-source-projects-certified-as-secure-huh.aspx

Urs

Comments
  • vdn Een plaatje zegt alles, toch ? knt  Het volledige rapport is hier te vinden. Lees natuurlijk j  de blogposting. r l

    Thanks for interesting post! eda

    [url=http://skuper.ru]ламинат и паркет[/url] 4t

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment