Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

There it is – the security Silver bullet

There it is – the security Silver bullet

  • Comments 1
  • Likes

I love that: There is finally software that is free of bugs and completely secure. Hmm, this kind of reminds me of the world-famous marketing campaign of a big software company which called itself "unbreakable". However, let's be fair:

There is an article out there called 11 open-source projects certified as secure. I quote from there "Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects." This is nonsense and we all know it. This is for different reasons: Static source code analysis will never ever be able to find all vulnerabilities. Additionally the threat landscape changes. Even if we would be able to say "the software is secure" (which we will never be), this will be different tomorrow. Criminals are probably among the cleverest people when it comes to finding new ways of attacking our systems. Ways, we have never thought of when we planned for the system.

So, I tried to confirm the above statement on the websites of Coverty: http://www.coverity.com/index.html and http://scan.coverity.com/index.html and could not find the same statement, which I think is not bad – otherwise I would have doubted their capacity.

Actually, Michael Howard commented on that as well: "Open-source projects certified as secure" – huh?

So, to summarize: I am not in the position to assess the quality of Coverty's capabilities and the quality of their tools and processes. The only think I know for sure is that this article is crap

Roger

BTW: Stop looking for the Security Silver Bullet – I do not want to lose my job J J

Comments
  • Coverity's Press Release, says something *quite* different:

    "Coverity Venture with U.S. Department of Homeland Security Resolves Quality Issues and Potential Security Vulnerabilities in 11 Major Open-Source Projects"

    and

    "...potential security and quality defects in 11 popular open source software projects were identified and fixed"

    Those are, of course, only the ones they could find. So, I guess your job is safe after all...

    --

    James

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment