Forgot your password?
typodupeerror

LAMP Lights the OSS Security Way 178

Posted by Zonk
from the bashing-in-the-heads-of-bugs dept.
Kevin Young wrote to mention a ZDNet article which goes into some detail on new results from a Department of Homeland security initiative. It's called the 'Open Source Hardening Project', and (funded to the tune of $1.24 Million) the goals of the initiative are to use a commercial tool for source code analysis to buck up the security base of many OSS projects. LAMP (the conglomeration of Linux, Apache, MySQL, and PHP/Perl/Python) was a 'winner' in the eyes of the project. From the article: "In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, 'showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.'"
This discussion has been archived. No new comments can be posted.

LAMP Lights the OSS Security Way

Comments Filter:
  • Old news (Score:2, Informative)

    by Fnord666 (889225)
    This is old news [serverwatch.com]:
  • by Valdrax (32670) on Tuesday March 07, 2006 @11:32AM (#14866490)
    Maybe I've been reading too much politics news lately, but I'm just waiting for Microsoft to come out with a statement that people capable of evaluating Perl, PHP, and Python are biased in favor LAMP solutions.

    I need to do something about my cynicism.
    • by gbjbaanb (229885) on Tuesday March 07, 2006 @11:38AM (#14866532)
      Well, once you read this snippet from the article, they'll have enough ammo:

      "There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."

      I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.
      • I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

        Spot on, as you can see on scan.coverity.com [coverity.com]:

        • PHP features 205 defects for 431,327locs, or 0.475 defects/kloc
        • Perl has 91 defects for 431,327locs, or 0.19 defects/kloc
        • Python is very slightly lower than perl (but with a noticeably smaller codebase) at 49 defects for 259,908locs or 0.189 defects/kloc
        • Apache-httpd features 32 defects in 127,817 locs, or 0.25 defect/klock
        MySQL isn't featured (Ruby is also a noticeable absent), but PostgreSQL stands at 296 defects for 815,748 locs, or 0.363 defects/kloc, and the lightweight SQLite has 16 defects for 60,722 locs or 0.263 defect/klock.
      • Well, once you read this snippet from the article, they'll have enough ammo:

        "There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."

        I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

        Well, I know a way where you can leave PHP in that stack and still make the bugs/KLOC figure go down REAL

    • I need to do something about my cynicism.

      Relax. Some of us are so cynical, we regard your statement as a ray of Pollyanna sunshine.

  • Fucking LAMP. (Score:5, Insightful)

    by autopr0n (534291) on Tuesday March 07, 2006 @11:34AM (#14866499) Homepage Journal
    I'm so sick of everyone making their software depend on MySQL. If you're software is any good it should be able to run on more then one DB, at least Postgres.

    To me, MySQL is like the MS Access of the Open Source world.
    • Just wait until Oracle takes over MySQL - the options will be only to go from MySQL to Oracle because "something" will change to make migration easier.

      I don't trust Oracle, I've seen them move into too many companies and push others out as well as backstab their own partners.
      • MySQL (Score:3, Insightful)

        by suso (153703) *
        I don't trust Oracle

        Honestly, I don't trust MySQL either. Every since they started going more commercial, there have been indications that eventually MySQL will be more closed up than open. But that's just speculation. So I've been slowly switching my stuff to use Postgresql. The only problem I have with postgresql is that it doesn't handle user administration as well. Other than that, its awesome.
    • Re:Fucking LAMP. (Score:3, Interesting)

      by Trevin (570491)
      I'd love it if database management systems were compatible enough to allow that. The trouble is, it seems only the most basic query syntax has been standardized. Several other aspects, such as table creation, column types, auto-increment variables, and stored procedures, have varying degrees of differences or support between the various databases such that in any sufficiently complex application you would need to write a separate copy of db interface code for every DBMS that you want to support.
      • Re:Fucking LAMP. (Score:2, Interesting)

        by mrops (927562)
        Hey that why I say LAMP will never take the place of say Java/spring/hibernate/tomcat/jboss.
      • Is have DB spesific code for creating the tables, auto increments, etc. and then use standard queries.
        • Creating tables and querying tables isn't even the majority of a database development project. Also, if you want to make full use of your db, you'll probably have non-standard stuff in your queries anyway. Ignoring those features is fine unless they happen to make things work faster or better in some way. At that point, your PHB is firing you to hire someone who "knows how to get the most our of the db".
      • Ever heard of ORM?

        Clearly not the best thing for fine tuning your perfs (nothing is but raw SQL and good admins that known the DB), but try checking ActiveRecord for example, it does in fact allow table creation including column types, indexes, 1-1, 1-many and many-many relations between your tables (doesn't handle "true" foreign keys yet though), DB migrations (editing your databases, adding or removing columns or complete tables, modifying a column, ...) and everything is done in Ruby...

      • Re:Fucking LAMP. (Score:4, Interesting)

        by Decaff (42676) on Tuesday March 07, 2006 @03:49PM (#14869069)
        Several other aspects, such as table creation, column types, auto-increment variables, and stored procedures, have varying degrees of differences or support between the various databases such that in any sufficiently complex application you would need to write a separate copy of db interface code for every DBMS that you want to support.

        There are open (and closed) source products that have dealt with these issues for years. Modern ORMs products handle all of these matters, and automatically provide translation between portable query languages (such as JDOQL) and high-performance vendor-specific SQL depending on the database you deploy on.

        It is astonishing to see these matters still being discussed as if no solution exists!

    • Re:Fucking LAMP. (Score:2, Insightful)

      by aurb (674003)
      Indeed. I wonder why people are not using SQLite [sqlite.org] where they need a fast and not _very, very_ large database (that's the case with most websites). And if there's a need for a big and reliable db -- PostgreSQL is the answer.
      • Because it is so easy to find web hosting with MySQL.

        Next...
      • Re:Fucking LAMP. (Score:3, Interesting)

        by Malor (3658)
        SQLite doesn't seem to be very fast. I know the SlimDevices people are having some trouble with it. They write SlimServer, an open-source Perl server that indexes music and drives the company's (excellent) Squeezebox players.

        The problem seems to happen when people have very large collections, greater than 10,000 tracks... updates become slow, and the whole system gets a little sluggish. Apparently, when using MySQL, the problem goes away completely... or at least until someone gets to 100k tracks or some
    • Re:Fucking LAMP. (Score:5, Insightful)

      by Lumpy (12016) on Tuesday March 07, 2006 @12:09PM (#14866761) Homepage
      I'm sick of DB makers ignoring standards and making their SQL not 100% SQL99 compliant.

      it's is pure bullcrap that MSSQL,Oracle,MySQL and PostgreSQL can not take the exact same complex query without having to rewrite it.

      That is one of the big problems. the fact that some of my queries will not go cross platform because of stupidities thrown in by Microsoft, MYSQL, and Oracle that cause pain and suffering like this.

      • That's nothing.

        As an undergraduate, I took a class taught on Oracle platform (it helps that the department got a hefty kickback from Oracle). I got sick for 2 weeks and studied out of a database text that was all about SQL '99. The prof smoked my grade for using SQL '99 syntax, despite, otherwise, getting the questions right.
        • Databases are fairly proprietary, and a class on databases should be specific to a platform and if oracle is used then oracle is what matters. Besides oracle is number one in the database market right now, so that seems just fine to me either way. They are the standard.

          Unless there is some more to the story (is there?) then the the professor did the right thing.
          • Re:Fucking LAMP. (Score:4, Insightful)

            by Khelder (34398) on Tuesday March 07, 2006 @01:29PM (#14867548)
            Well, the GP didn't say what kind of undergraduate degree program he was in, so maybe it was on something very applied like "Database Administration" and you're right.

            But if he's getting a Computer Science degree (which seems to be the plurality of students on /.), then his courses should *not* be emphasizing how the syntax for database A is different from the syntax for database B. The courses should be about higher level concepts (maybe replication, or normalization).
        • I guess I'm lucky.

          I'm in a beginning programming class, and the language is C++, and the tools that the teacher is forcing down our throats is MS Visual Studio.

          I looked ahead at the programming examples, and it's all basic logic (really, I should have just tested out of this class, but the school's process for that doesn't allow for it due to the program I'm in - anyway. . . ). None of the C++ code relies on win32 libraries. It's all simple basic stuff - so I pasted some of the assignments into XCode on my
          • Ahh, see, here's the catch.

            The year was 2000, so good texts on SQL 99 were hard to come by. MySQL wouldn't honor referential integrity constraints, so it's output was just wrong, no matter how you sliced it. We were using Oracle.

            Simply put, the Oracle syntax was 100% different for certain things. Tools and what not aside, if you put SQL 99 code into Oracle, I think that it would work (but don't remember so clearly on that point), but Oracle PL/SQL for triggers, stored procedures, and functions? It's not
      • Do not use complex queries then. If your DB is on the same host as your web/application server there should be no big performance penalty in doing series of "smaller" queries. As an added bonus - they well may be easier to debug. And do not name your tables "order" or your fields "desc" (though I really hate prefixes/suffixes).
        • If your DB is on the same host as your web/application server

          If you are relying on this type of architecture, where one machine does all the work, interoperability with seperate databases is probably not even needed.

          But if you're working with a project that needs replication and such, then you really can't rely on DB and web server being the same machine. Sometimes you have to sell your software as an installable product and make it work on multiple DB platforms. Sometimes you have to write to foreign data
      • Why don't programs treat SQL as an internalization problem? In a very real way each database server speaks a different language right? If your web site can dish out web pages in croatian why can't it handle four or five dialetcs of SQL?
      • it's is pure bullcrap that MSSQL,Oracle,MySQL and PostgreSQL can not take the exact same complex query without having to rewrite it.

        So, a SQL parser and compiler that can transform queries between these should be trivial to make, right?
        The absense of this tool, combined with the absolute immense usefulness of it, tells my sense of logic that this is not really the case.
      • In the Java world, we have moved to Hibernate, Castor and other Object/Relational engines to get around this problem. Hibernate is especially good at "swapping out" database vendors. But I agree, MySQL is especially poor and SQL compatibility.
      • It's perfectly fine to subset SQL, IMO.

        The fact that so many databases do subset SQL99, however, is perhaps an indication that we would benefit from a well defined "SQL Light" subset.
    • The whole database concept is just fundamentally wrong.
    • I tried Postgres but it was a pain,

      it was a pain to figure out how to set up

      It was a pain to properly configure (never did to my satisfaction, not much good documenation on editing the users file).

      It was a pain to get programs that support it to work with it (eWiki) and then not all the features worked when I did (embedding images).

      And then if I wanted to do clustering or distributed DBs and such down the road, it was turning out to be a pain finding information about that also.

      I liked what I saw, the

    • And PHP is the Visual Basic of the open source world.
    • I'm so sick of everyone making their software depend on MySQL. If you're software is any good it should be able to run on more then one DB, at least Postgres.

      Sadly, I have found, that there are some basic operations that require non-standard-SQL. I wish SQL were just a *bit* more rich, so it weren't necessary. (One example, if I'm not mistaken, is last_insert_id(), to find the last value in an autoincrement insert. Not possible to do atomically without a server-specific function.) There are a handful

    • Exactly. Somebody involved with the process told me that MySQL had their code scanned ahead of time, fixed the problem, and then had the "official" scan done. Oh well.

      I also wihed MySQL would reduce the marketing spin a little. Two examples:

      • Not being able to update rows in Archive-Engine tables... Apparently they couldn't figure out how to do that (after all since the tables in the Archive Engine are compressed you'd have to store is chunks, find the right chunk, uncompress, update, and recompress). Ora
  • by urdine (775754)
    Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!
    • by Anonymous Coward
      Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!
      They do - it says so in the article.
    • by Bazzalisk (869812) on Tuesday March 07, 2006 @12:14PM (#14866797) Homepage
      Ah, but how many lines of code will it take to correct the bugs? and will those bugfixes themselves contain bugs?

      Interested minds couldn't care less.

    • Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!

      Many other studies and most programmers experiance shows that there is a high likelyhood of introducing a bug whenever you make a change to existing code, In fact on a per line of code written basis "fixes" are about the buggyist code you can write. So if you have .3 bugs per KSLOC (Kilo lines of code) in mature code like Apache orthe Linux kernal the new stuff that fixes a bug might have three times as many b

    • The people who roam on the dev mailing lists of the various projects scanned by Coverity have seen a Coverity guy ask for the security team to whom he could hand the defect reports.
  • by Anonymous Coward
    After all, that stuff's running most of the Internet.
    • Oh nog... lets rewrite all the DNS root servers to use LAMP~!

      That would be the coolest thing EVA!!!

      Until Google gets around to buying them all and porting them to a simple but usable AJAX format!
  • Counting Defects (Score:2, Interesting)

    by RasendeRutje (829555)
    How can one ever count the defects/bugs per line?
    And why count them, and then not remove them?
    And one huge defect is better than more than one small ones?
    Sounds like a crappy research to me, time to RTFA.
    • Re:Counting Defects (Score:3, Interesting)

      by Pedro Sobota (959537)
      Very Bad, and I have seen a US Defense - contracted software company (they even do helicopter systems) on their website extensively touting their 'lower defects per line of code (DLC)' methodology. Marketing.
    • How can one ever count the defects/bugs per line?

      With a tool whose goal is to scan for defects (out of bound access, memory leaks, uninitialized pointers, ...)

      And why count them, and then not remove them?

      Duh?

  • by digitaldc (879047) * on Tuesday March 07, 2006 @11:42AM (#14866565)
    As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

    Just an FYI...AMANDA had the highest amount of bugs at 1.214 Defects / KLOC and OpenVPN the lowest at 0.100 Defects / KLOC.
    • YEAH RIGHT! (Score:5, Insightful)

      by suso (153703) * on Tuesday March 07, 2006 @11:45AM (#14866587) Homepage Journal
      Also from the article: The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

      Being someone who has used Amanda for many years and also XMMS, I find it hard to believe. Amanda has few problems (unless its the tape drive itself) and XMMS crashes sometimes when you just push a button in the "wrong way".

      I think there can be a big difference between actual number of bugs and the perceived number of bugs. This almost makes counts like this useless for actually comparing software.
      • Who says that when XMMS crashes it is XMMS'es fault?

        It could be one of its library's. XMMS source code doesn't give you the player (or at least not one that will do anything) if you used gentoo or LFS you would know this.

        Oh and bugs != programming errors or design flaws. Even if you elimenate all the bugs you could still have a program that blows up your cat when you try to save a file. It will just do it without any bugs getting in the way. Wich is a good thing. Unless your the cat.

        • Oh and bugs != programming errors or design flaws. Even if you elimenate all the bugs you could still have a program that blows up your cat when you try to save a file. It will just do it without any bugs getting in the way. W(h)ich is a good thing. Unless you('re) the cat.

          I had a professor who used to say "There is no such thing as a bug. Take responsibility for your errors". All "bugs" *are* programming errors or design flaws unless you are actually talking about a moth that shorted out your powersupply

      • Re:YEAH RIGHT! (Score:3, Insightful)

        by maelstrom (638)
        I think it should be obvious this bug scanner only picks up on certain classes of "bugs". If they had an automated way of detecting all types of bugs, they would be rich beyond their wildest dreams. I imagine it picks up certain things like out of bound accesses, mallocs without frees, etc. It would make sense that Amanda would have more types of these operations going on than something like xmms.
      • Re:YEAH RIGHT! (Score:2, Informative)

        To address several comments I've seen:

        * The Amanda developers (as far as I know) were not contacted that Amanda was on the list before it became news. But, Coverity _was_ quick and friendly about giving Amanda developers full access to the bug list for Amanda when we registered.

        * Their checks do go beyond simple static checking; they are looking at possible values of index variables at different points in the code to assess potential overflows, and they are tracking malloc/free pretty well. You can find
  • by Wannabe Code Monkey (638617) on Tuesday March 07, 2006 @11:47AM (#14866607)

    I have to say, I'm suprised and impressed... a $1.2M grant to harden open source software? Thanks all seeing orwellian eyeball. I don't recall slashdot posting anything about the original grant but here's a link from the posted article to another about the funding [zdnetasia.com].

    The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

  • by mwvdlee (775178) on Tuesday March 07, 2006 @11:48AM (#14866612) Homepage
    If an automated system can detect bugs in code, why can't it fix them automatically too?
    • If your C++ compiler knows there's a missing semi-colon, can't it just add the semi-colon in?

      Well... no. It doesn't know what the hell your code is trying to do, and therefore it doesn't know where the missing semi-colon is supposed to go, exactly.
    • Because it works on the same technology as my girlfriend:

      GF: "The bath is leaking!"
      Me: "Fix it then"
      GF : "The bath is leaking! That's your job!"
      Me: "Why? I know as much about plumbing as you do. Here, have a spanner."
      GF: "What's a spanner?"
      GF: ...
      GF: "The bath is still leaking!"

      Identifying and whinging about a problem is a completely seperate problem to identifying and actioning a fix.

      PS. Spanner = Wrench
      PPS. This isn't a slight on girlfriends in general, I'm sure some girlfriends can plumb, I just don't ha
  • I noticed that on Coverity's demo page [coverity.com], there's no mention of MySQL. If they *do* scan MySQL for bugs, why not have it on the front page?
  • by RealProgrammer (723725) on Tuesday March 07, 2006 @12:01PM (#14866703) Homepage Journal
    Researchers at clandestine research labs in bases hidden deep in the Russian Alps have attempted to analyze portions of the leaked Internet Information Server (IIS) and Windows Vista code for similar flaws.

    The findings were remarkable. They found 4,669 flaws, but since they didn't have the source code it resulted in a divide-by-zero error when they calculated the statistics on their Excel spreadsheet. The error triggered an unheard-of lockup on their Windows XP desktop.

    On a positive note, recovering from the error alerted them to the presence of 43 strains of the MyDoom virus, 257 instances of Alexis spyware, and a bootleg copy of "Making of the Britney Spears Sonogram".
  • by Dareth (47614) on Tuesday March 07, 2006 @12:08PM (#14866755)
    The LAMP stack when broken down consists of:
    Linux & Apache - rock solid stable releases.
    MySql - Okay, getting better with each release.

    P - This is the kicker. Perl, Python, PHP, and more so lately even that R one Ruby & Rails.
    We are living in interesting times when we have so much choice... much like the Chinese curse. I do not see as how you can evaluate all of these platforms together in a general fashion. Where is the skew or bias in this study?

    Someone on IRC recently was critical of a small website I put together in 2000. It was written in plain html, using frames *gasp*. Many people today do not realize how far web development has come since then.

  • Did the article say what kinds of things the automated tool flagged as bugs?
  • by Device666 (901563) on Tuesday March 07, 2006 @12:15PM (#14866808)
    Security is not a feature, security is design. This ultimely means that security should provide good default values, knowledge about how to prevent buffer underruns/overruns and most importantly knowledge how to use a system. This means that security only will need tools to help a system architect and developer to confront him with his limits of his human brain and have a well documented yet very simple concise system and low speed development cycles.

    Open source is great because of the many eyes, knowledge sharing and having nothing to do with corporate tradeoffs (the users have the largest voice. But it stinks in the fact that any noob can make programs which are badly designed and are a serious risk to security, however someone may learn faster form the mindsharing in the open source world. To have a well concise system so much more is needed than just some bugfixes. OSS is just a proof that closed source coorporate software is not good with security, but it isn't proof of sound security.

    Most interesting is OpenBSD with it's oustanding default values, it's very own high profile malloc which prevents coders for lot of buffer underrunes/overruns, outperforming other malloc implementations. It has a very high quality of manpages and if you want to do something then you have to RTFM. That's what security should be, other than some less known bugs. I would even suggest that it would be better in the name of security that people would use program derivation (which is a very concise way to do formal verification). PIE and all other solutions maybe look practical, but they don't solve the lacking attention for "secure by design".
  • "The company did not give details on the scope of the flaws it found." After all that work reviewing a rather massive amount of code, are they not going to publish detailed results, or at least contact developers? They have their data for the study now. WTF?
  • "LAMP Lights the Way"?! Was Slashdot acquired by C|Net?

    For the love of all that's holy, please drop the hackish high-school-newsletter headlines.
  • Do we have any metrics to compare this to Commercial software quality? I know thats a bit hard to answer, but I'm curious what this same tool has found when used on commercial code.

    Maybe someone works for a company that used the tool on their code? Or some results have been published somewhere?
  • Add more linefeeds!!! ;)
  • bug reports? (Score:3, Interesting)

    by Janek Kozicki (722688) on Tuesday March 07, 2006 @01:23PM (#14867487) Journal
    17500000 lines of code, 0.434 bugs per 1000 lines, that makes 17500*0.434=7595 bugs, so where are the bugreports?
  • It's not really free software now that I'm being forced to pay for it.

If entropy is increasing, where is it coming from?

Working...