Advertisement
Promo

Security threats Toolkit

Coverity reveals common open-source code flaws

Tom Espiner ZDNet.co.uk

Published: 20 May 2008 17:35 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A project funded by the US Department of Homeland Security has praised improvements in open-source security, while outlining some common errors.

Coverity, a commercial code-analysis company spun out of Stanford University, has been running its Scan project with Department of Homeland Security funding since 2006.

On Tuesday, Coverity released its Open Source Report, which gives results of bugs in more than 250 open-source projects. Coverity declined to give details of individual projects' faults, but instead gave a list of frequent coding errors.

Coverity did single out some projects for particular praise due to the cleanliness of the code, including Amanda, NTP, OpenPAM, OpenVPN, Perl, PHP, Python and Samba.

The most common type of code defect, accounting for 28 percent of all the defects found, was the NULL pointer dereference, as the use of pointers in C/C++ is error-prone, according to Coverity.

"This type of error often occurs when one code path initialises a pointer before its use, but another code path bypasses the initialisation process," stated the report. "Pointers are a notoriously challenging programming concept that many languages elide altogether (eg, Java). Senior developers know that new programmers frequently have trouble understanding pointers."

Because pointers are often used to pass data structures by reference between pieces of program logic, they may be the most commonly manipulated data objects due to repeated copying, aliasing and accessing. Therefore, it is not surprising that the most frequently used artefacts will incur the most errors in manipulation, said Coverity.

The second most common type of code defect are resource leaks. While some resource leaks are pointer-related, others may be the result of misusing an application programming interface (API), said Coverity.

Other common code defects include unintentional ignored expressions, use before test and buffer overflow vulnerabilities.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
5 out of 5 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Authentication risks all too human

Risks to successful online banking identification and authentication using smartcards involve a mixture of human and technological factors, according to the European Network and Information... More

1 comment

Opera censors Chinese content

Opera has updated the Chinese version of its mobile browser to stop users accessing restricted content. Opera Mini was updated on Friday from an international to a Chinese version,... More

2 comments

Symantec website breached

Security company Symantec has said that one of its websites was successfully breached. Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday. Unu... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters