11 open-source projects certified as secure

Under contract with the Department of Homeland Security, Coverity seeks to establish a new security baseline for open-source applications.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Jan. 8, 2008 8:52 a.m. PT

Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.

Eleven projects made the list: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

San Francisco-based Coverity, working in collaboration with Stanford University and under a contract from the Department of Homeland Security, is analyzing source code to certify that open-source projects written in C, C++, and Java are secure. Coverity has not disclosed the amount of the DHS contract.

The certification was created so that companies can "select these open-source applications with even greater confidence," Coverity said.

The company uses a ladder metaphor in its certification process.

Rung 2, which was announced late Monday and is the most secure level to date, includes the 11 projects. Rung 1 now includes 86 projects. Rung 0, the lowest level, currently lists 173 projects.

In all cases, open-source vendors must fix all vulnerabilities discovered by Coverity's tools in order to move up the rungs of the security ladder.