• On MovieTome: HARRY POTTER gets a new trailer!
advertisementAT&T Tech Support 360

March 6, 2006 2:20 PM PST

LAMP lights the way in open-source security

By Joris Evers
Staff Writer, CNET News

Related Stories

Homeland Security helps secure open-source code

 January 10, 2006

Key bugs in core Linux code squashed

 August 3, 2005

Microsoft looks to extinguish LAMP

 June 15, 2005

Open-source LAMP a beacon to developers

 June 14, 2005

Study: Few bugs in MySQL database

 February 4, 2005

Security research suggests Linux has fewer flaws

 December 13, 2004

Will code check tools yield worm-proof software?

 May 26, 2004
The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible.

The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday.

The U.S. Department of Homeland Security awarded $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis. The funding, announced in January, is for a three-year "Open Source Hardening Project."

LAMP includes the Linux operating system, Apache Web server, MySQL database and a scripting language--PHP, Perl or Python. It has been pushing its way into mainstream corporate computing, a rival to Java and Microsoft's .Net.

In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, "showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.

There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said.

Of the other open-source projects scanned, Coverity found that the Amanda back-up tool had the highest number of bugs per 1,000 lines of code, with a bug density of 1.237. The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

In absolute numbers, most defects were found in X, the low-level graphical interface software for Linux and Unix. Coverity found 1,681 defects in X, it said. With only six defects, XMMS also scored best in absolute numbers.

Coverity's analysis looked for 40 of the most critical security vulnerabilities and coding mistakes in software code. The company did not give details on the scope of the flaws it found. The analysis can't be used to measure the security of open source code next to that of proprietary code because that code is not available for scanning.

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

A PDF of the Coverity analysis is available for download (registration required).

See more CNET content tagged:
Coverity, defect, open-source project, open source, open-source software

Add a Comment (Log in or register) 9 comments
LAMP Meme Rising
by Broward Horne March 6, 2006 3:02 PM PST
As predicted and posted one year ago -

http://www.realmeme.com/Main/miner/technology/LAMPlinuxDejanews.png


LAMP is one of the issues confronting J2EE -

http://www.realmeme.com/Main/savingj2ee/index.jsp
Reply to this comment
How Does This "LAMP lights the way..."
by Captain_Spock March 6, 2006 3:31 PM PST
... to show the projected "economic" expectations of countries around the world; also, when will the 90% plus world market-share start to use these LAMPs to see the performances! ;-)
Reply to this comment View all 2 replies
When MS doesn't sponser a study, the truth is told.
by booboo1243 March 6, 2006 5:25 PM PST
But I'll be if M$ got word of this study they were sure trying to pay people off.
Reply to this comment View reply
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET