Coverity Inc, a long time expert in code analysis, has announced their work with the US government Department of Homeland Security to indentify security and quality issues in 11 popular open source projects: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL. Coverity has been doing a mix of static and dynamic code analysis in the open source world for quite some time and I've al Coverity Inc, a long time expert in code analysis, has announced their work with the US government Department of Homeland Security to indentify security and quality issues in 11 popular open source projects: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.Coverity has been doing a mix of static and dynamic code analysis in the open source world for quite some time and I’ve always been impressed with what they’ve found. In particular, they did an extensive evaluation of the LAMP stack and MySQL a few years back which helped us identify some security risks which we were able to fix immediately. They’ve done a lot of great work helping open source companies and projects find code vulnerabilities and improve them. They’ve a pretty exhaustive set of reports available on their web site that describe the work they’ve done evaluating and helping to improve open source software. As Coverity has noted, open source software is typically more secure and of higher quality than its closed source bretheren. Now whether that’s because of more eye-balls, a bigger community of testers or more care taken by the original developers, who knows. (I’ve long felt that compilers hide many sins. Knowing your code is going to be public helps ensure there’s nothing embarassing in the code.)As with any kind of code analysis, there are sometimes false-positives, but that’s a small price to pay for ensuring improvements in quality and security. If your development team hasn’t tried Coverity in recent years, it’s worth looking into. Open Source