The 2017 Coverity Scan Report, which examines open source software (OSS) quality and security, has found significant adoption of security software development practices.
The data used in the report was collected over the past decade through Coverity Scan, a free static analysis solution from Nasdaq-listed application security testing company, Synopsys. The solution is currently used by more than 4 600 active OSS projects.
According to Andreas Kuehlmann, senior vice president and general manager of the Synopsys Software Integrity Group, Coverity Scan started in 2006 as one of the largest public-private sector research projects initiated with the US Department of Homeland Security (DHS) with a focus on OSS integrity. The affiliation with DHS ended in 2009.
Synopsys Coverity Scan helps reduce risk and lower overall project cost by identifying critical quality defects and potential security vulnerabilities during the software development. Synopsys manages the Coverity Scan project and provides static application security testing (SAST) as a free service to the open source community to help them build quality and security into their software lifecycle.
"Due to the ubiquity of open source and the vital role it plays in virtually all types of software, understanding and managing its risks can no longer be optional," Kuehlmann said.
However, the report, which was released this week, points out that the distinction between proprietary/commercial and open source has become irrelevant. According to some of the largest commercial users of Coverity, software being shipped to customers can contain up to 90% open source code. In addition, there are now companies founded entirely on OSS. OSS is now the norm.
Mel Llaguno, Open Source Solution Manager at Synopsys and author of the report said that while the success of OSS was unquestionable, its adoption highlighted a growing concern regarding the quality, security, and maturity of the software itself.
"Many people attribute the quality of OSS to Linus' law, which states, 'Given enough eyeballs, all bugs are shallow.' Unfortunately, simply making code publicly accessible for review is no guarantee of quality, as we found out the hard way with Heartbleed. Gaps in quality inevitably compromise security," Llaguno added.
"This presents a challenge for adopters/consumers of OSS - how to determine the fitness of a particular OSS project. While static analysis has been extremely beneficial for improving the quality and security of OSS, other software integrity techniques (such as software fuzzing, used to verify the existence of Heartbleed) in combination with broader project health/community metrics may be necessary to develop a complete picture of maturity." Since its inception in 2006, Coverity Scan identified more than 1,1 million defects in active OSS projects, leading to the remediation of more than 600 000 defects. The 2017 Coverity Scan report details the analysis of 760 million lines of open source code across several languages, including C/C++, C#, Java, JavaScript, Ruby, PHP, and Python.
Key findings from the 2017 Coverity Scan Report include:
* Key behaviours indicate increasing maturity of OSS projects.
The adoption of CI/CD and remediation of actionable defects by developers highlight the value of static analysis to the OSS ecosystem.
* Active projects within Scan show significant adoption of secure software development practices.
Since January 2016, 4 117 active projects have submitted builds for analysis. Of those, nearly 50% use Travis CI, indicating using of continuous integration/continuous deployment (CI/CD) practices. Another 2 509 projects have been triaged, which require developers to have intimate knowledge of the codebase. Additionally, 1 120 projects were configured to make use of modelling, a mechanism for improving the quality of their analysis results.
Share