US Government Studies Open Source Quality

anadgouda writes "US Department of Homeland Security has released a report on open source quality in an effort to study the security of open source. 31 popular open source packages were studied as part of this effort. From the article: 'Coverity's report, Stacking up the LAMP stack: a study of open source quality, was produced as part of a $1.24m, three-year DHS Science and Technology Directorate effort to evaluate and improve the security of open source.'"

So,

[Eightyford]

So, does anyone have the numbers as to how much of the government uses open source? Is it mostly an applications thing (OpenOffice) right now, or are Linux and the BSDs much in use?

So they submitted Bugs, Right?

[BigBuckHunter]

This study would be extremely valuable if they had submitted BZilla bugs for each and every defect they encountered. It's hard to tell from the article whether they did or not. One thing that I have learned from running ~arch in Gentoo is that if you don't submit bugs, things aren't going to get fixed.

BBH

Compare with...

[Anonymous Coward]

...New Zealand's recent analysis of open source [e.govt.nz], which focuses on legal issues.

What's good for the goose..

[wfberg]

is good for the gander?

I wonder what "bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes" have been uncovered by looking at the source code of closed source softw... oh. wait. no source. heh.

This might well mean that open source software will, at some point in the future, be considered more secure and well-written than comparable commercial closed source software even by government or PHBs.

You have to wonder about the difference in "errors per thousand lines of codes" metric though. Does one project use
int a;
a = 5;
and the other
int a=5;
?

Yes

[jascat]

While not used on every desktop, I know of a lot of F/OSS being used everyday in the military. It would be stupid to not use it. Why would companies like Redhat and Novell spend money on getting their software certified to run on classified systems if it wasn't going to get used? While we may be selling out to Microsoft a lot, there are times when those of us who know better manage to convince the decision makers of the right tool for the job. In some cases, it's a MS product, in others, it's something else.

RTFA

[Night Goat]

From the article, which I'm SURE you read:

Coverity evaluated 15m lines of open source code with Stamford University's Computer Science Department. The report has identified bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes. Coverity said it would now engage with open source developers to improve code, and identify potential reasons for why some projects have more bugs than others.

Yes, the folks who ran the tests plan to submit their findings to the developers to help squash bugs.

Re:Fan of Linux, not of Homeland Security

[toddbu]

The branches of government like the GAO, NASA, the President's Office of Management and Budget are all known for this. Not everything that goes on in washington has to do with politics.

You can't really be that naive, can you? Take the OMB for example. There's a big debate [ombwatch.org] going on about whether OMB should use static scoring or dynamic scoring. It doesn't really matter which one you prefer, but I can tell you that in the current political climate it makes a *huge* difference. Democrats prefer static modeling because then they can argue against tax cuts. Republicans favor dynamic modeling to support a "trickle down" effect. But the idea that somehow OMB is neutral is ignoring reality. Even if they don't intend to favor one party or another, the fact is that there is no action that they can take that won't benefit one group or another.

Interesting that you should mention NASA. Their very existence depends on the support of the aerospace community and the regions of the country that benefit from NASA centers. They are very good at using their influence to get what they want. Even if you could claim that they don't favor one political party over another, they are still very skilled at using political influence to their advantage.

Re:MOD PARENT DOWN

[Jeremy.DeGroot]

If this came from who I think it did, your IS ain't in any better shape than mine, buddy. :-p

Re:Open Source Software: Opportunities and Challen

[Anonymous Coward]

Upon reading the PDF it struck me that if an organisation like the military wanted to use OSS in a more secure fashion, then the use of closed locked down binaries of the code like a default Linux secure network setup is the best option. The problems arise when the individual nodes can be modified willy nilly by malicious code. If you do not include a compiler on the nodes and make sure that binaries cannot be installed by users then you have a blueprint for bullit proof security. Given that the code that is originally compiled into the secure binaries is all visable, it would seem dangerous for the military to use closed source binaries like windows software and remote access sys-admin.

Same Old Math Error

[oldCoder]

These guys just can't think straight:

LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines.

So if LAMP open-source is simply more verbose than other kinds of open source, the number of bugs per line of code can go down? How about just adding a million lines of bug-free but totally bogus code to your project -- and completely winning the race of "Defects per 1,000 lines of code"?

If I remember correctly Coverity has been discussed on slashdot previously and they used the same diseased statistical thinking back then, too.

Re:So,

[egypt_jimbob]

Speaking as a student about to graduate and go into Federal Civil Service as a penetration tester, I can tell you that all of the agencies with which I have interviewed use mostly Linux. Well, all of the agencies that are actually good at what I want to do.

So far it's been mostly gentoo from what i've seen, but there are some places that have to use RedHat because their management said it has to have 'support.'

Bear in mind, however, that the places i'm interviewing are hardcore hacker groups, so this may be (and probably is) completely off the norm.

Re:OSS Security depends on people admitting a bug

[tech_guru5182]

Actually, it appears to be a switch back to the old versioning scheme.

Also, I agree with the comment about the FUD mobile appearing.

I have no problems finding a local community college with Linux classes. I actually took one a few years ago as part of my associate's degree. You may want to try searching for UNIX instead, as Colleges usually keep old names around. The class I took was actually called UNIX Concepts, but was actually taught on Red Hat Linux.

See
EET 175 Network Operating Systems
EET 208 UNIX Concepts
at <a href="https://www.owens.edu/cgi-bin/courses.pl">Ow ens Community College</a>

Re:OSS Security depends on people admitting a bug

[0x0000]

software is NOT always the best solution for every problem, especially when it comes to security.

.... you say this [the above], the procede to make an argument based solely on funcitonality and support of software packages available. Do you have anything to back up your initial statement there, that non-Open software is somehow better for applications that require "security" (a vague term at best, in this context, I think - are you talking security against networked crackers, automated worm attacks, attempts to de-crypt encrypted data ... )? I'm not trying to "flame" you, but you don't support the your statement at all in your post, and I honestly can't think of an instance where proprietary or closed source software is "more secure" than F/OSS...

I can not take a course on Linux at my local Community College.

You should move to where there's a better community college - I think it may even be safe to use the word "most" when describing how many schools there are across the country now that are teaching Linux, FreeBSD, or both. Are you saying your school doesn't offer it, or that you can't take it for some other reason?

As a sidelight, note that many schools that have recieved endowments from M$ (thru one channel or another) have magickally dropped the course-work they once had that didn't require the purchase (at a student discount, of course) of M$ products - if that's what's going on at your school, you might want to address it with your administration - after all, when you're paying for an education, they're defrauding you if they don't give you what you pay for - regardless of what M$ is paying them (under the table) not to teach you....

out in to the real world as system administrators and/or programmers, they will have a better chance to find a job if they know Windows and Linux

Not sure just what sector of the real world you're talking about, here, but *I* won't hire you if you don't understand operating systems generally (we're talking critical embedded systems here - the stuff that's going to outlive the users who are thinking they need a "new" obsolete PC), and have some skill with anything that can be called one. "Platform Independance" and "Language Independant" aren't just test questions in the Real World outside Microsoft Applications Land - a rich and profitable land to be sure, but nothing grows there so all [brain] food must be imported, and life expectancy is pretty short generally due to contaminated memepools, rarified atmospheres, and the mind numbing depressions induced by the incredibly bleak cyberscapes...)

Anyway - all that said, I do agree with you about support for F/OSS - it is overall diffcult to access, often hard to understand, and generally just unusable for those who are not already to some degree techinical initiates. And that does need to change. Imo.

SE-Linux

[Anonymous Coward]

Why no mention of SE-Linux?
One agency study.
1.5 million dollars spent.

How much did the NSA spend developing SE-Linux?
Must have cost more than 1.5 million. And that is now at the core of Linux.

Yes many in the US Government are aware that Open Source software rocks.

Impeach the Liar

Stamford University? You mean Stanford.

[Morganth]

I know that there is a Stamford University, and everyone always jokes that it's for people who want to pretend they went to Stanford, but, this just makes things really confusing. The Register article says Coverity used a verifier from Stamford University, when really the program came from Stanford [coverity.com]. In fact, AFAIK, UCONN-Stamford doesn't even have a CS department.

Navy Replaced Sun with Yellow Dog Linux ...

[AHumbleOpinion]

The US Navy replaced Sun with Yellow Dog Linux, originally on Apple hardware and now on some other PowerPC based hardware, for sonar processing on subs.

Re:Same Old Math Error

[tricorn]

The real problem isn't bogus stats caused by line inflation. The real problem is that it only finds certain types of bugs. If a bug causes an incorrect result or improper behavior, but doesn't cause a memory leak or the like that crashes the program or system, then it isn't being found. It also isn't finding STUPID code - code that works but is ridiculously convoluted, slow, difficult to modify, redundant (writing 5000 lines of code to do some string manipulation and parsing that could be done just as easily and efficiently using a RE library, or use lex, or some other straightforward solution - I've seen code that re-implemented several of the standard library string routines, and to add insult to injury, did it poorly and with a memory leak - at least these guys would have found the memory leak, but their solution would probably be to fix the leak, not toss the whole routine). C++ programmers seem to do this kind of thing particularly often, although many "object oriented" programmers can screw things up in multiple languages with equal facility.