LAMP lights the way in open-source security

U.S. government-sponsored analysis finds that the most popular open-source software is also the most free of bugs.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible.

The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday.

The U.S. Department of Homeland Security awarded $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis. The funding, announced in January, is for a three-year "Open Source Hardening Project."

LAMP includes the Linux operating system, Apache Web server, MySQL database and a scripting language--PHP, Perl or Python. It has been pushing its way into mainstream corporate computing, a rival to Java and Microsoft's .Net.

In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, "showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.

There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said.

Of the other open-source projects scanned, Coverity found that the Amanda back-up tool had the highest number of bugs per 1,000 lines of code, with a bug density of 1.237. The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

In absolute numbers, most defects were found in X, the low-level graphical interface software for Linux and Unix. Coverity found 1,681 defects in X, it said. With only six defects, XMMS also scored best in absolute numbers.

Coverity's analysis looked for 40 of the most critical security vulnerabilities and coding mistakes in software code. The company did not give details on the scope of the flaws it found. The analysis can't be used to measure the security of open source code next to that of proprietary code because that code is not available for scanning.

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

A PDF of the Coverity analysis is available for download (registration required).