momius - Fotolia
Static analysis defect density scans by the software quality firm showed that open source code outpaced commercial code for quality in 2013 and 2014.
However, the report for 2014 also compared security compliance standards, such as Open Web Application Security Project (Owasp) top 10 and Common Weakness Enumeration (CWE) 25 most dangerous errors, and found that commercial code is more compliant with these standards than open source code.
This finding is mainly ascribed to the high number of open source security incidents during 2014 and the general inaccessibility of common security tools to open source projects due to limited budgets.
The report is based on the analysis of nearly 10 billion lines of open source code from more than 2,500 open source C/C++ projects and an anonymous sample of enterprise projects.
Defect density improvements
The report highlights results from several popular, open source Java and C# projects that have joined the Coverity Scan service since March 2013.
Since its inception nine years ago, the Coverity Scan service has analysed billions of lines of code, and has reviewed more than 5,100 open source projects – including C/C++ projects.
The Coverity Scan service has helped developers find and fix more than 240,000 defects since 2006.
As detailed in the latest report, nearly 152,000 defects were fixed in 2014 alone, which is more than the total number found by the service between 2006 and 2013.
The latest report also shows that defect density (defects per 1,000 lines of code) of open source code and commercial code has continued to improve since 2013.
Open source code defect density improved from 0.66 in 2013 and to 0.61 in 2014, while commercial code defect density improved from 0.77 to 0.76.
According to OpenSSL co-founder Tim Hudson, the Coverity Scan service helped to catch newly discovered defects and highlight where other issues, such as the Heartbleed bug, might exist. Since Heartbleed, OpenSSL has fixed 302 defects found by Coverity Scan, and now has a 0.21 defect density.
Speed and security
The latest Coverity report shows that operating system Linux remains a benchmark for static analysis defect density. Since joining the Coverity Scan service in 2006, Linux has retained its commitment to quality, which remains a key focus, the report said.
During 2014, Linux used the Coverity Scan service to find and fix more than 500 high-impact defects, including resource leaks, memory corruptions and uninitialised variables.
“As a whole, software quality and security are improving, but neither open source nor commercial standards are complete or conclusive enough to catch everything,” said Zack Samocha, director of marketing for the software integrity group at Synopsys.
“As software projects are being pushed to market faster than ever before, developers need to balance security with speed. As more of these projects use systems like Coverity Scan, we expect to see continued improvement in open source and commercial code security throughout 2015,” he said.
The report makes the assertion that the software industry as a whole must do a better job of balancing security with development speed and feature improvements.
“Developers should use a combination of tools, compliance standards and best-practice principals to produce software that is both high quality and secure – rather than one or the other,” the report said.
Read more about security and open source software
- According to researchers, malware makers have been targeting .NET since Microsoft made the software open source.
- Tapioca, an open source security tool from Cert-UK, shows that Android app vulnerabilities are ubiquitous, according to new research from IBM.
- Security researchers, Dropbox and Google have joined forces to make open-source security tools easier to use.
- Vulnerabilities Shellshock and Heartbleed show how flawed even ubiquitous open-source software components can be.