DHS-funded project uncovers open-source flaws

Share this article:
A vendor working with the U.S. Department of Homeland Security (DHS) has uncovered vulnerabilities in 11 major open-source software projects, including the Perl and PHP programming and scripting languages used widely to develop web applications.

The firm, Coverity, is working on a three-year, $300,000 program with the DHS that helps open-source software developers find and fix vulnerabilities in their projects. Coverity said it has discovered bugs in Amanda, NTP, OpenPAM, OpenVPN, Overdose, Postfix, Python, Samba, FreeRadius and TCL, as well as Perl and PHP.

“[The program] has 116 projects with active developers using the results," David Maxwell, Coverity's open-source strategist, told SCMagazineUS.com.

Beginning in March 2006 with 35 open-source projects, the program developed the Coverity Scan site, which has analyzed code in more than 250 projects and helped fix more than 7,500 vulnerabilities in open-source software projects since its launch, according to the program.

Coverity uses its Prevent static-analysis software to analyze the source code of each program.

"We process the code the way a compiler does, building an abstract representation of the code," Maxwell said. "Then we look at that representation, looking for inconsistencies. For example, if we see that a string is copied, and know the source of the stream and can confirm that the destination is not large enough to accommodate the source, it would create a buffer overflow."

Maxwell said the scanning found "vulnerabilities in all but one or two of the projects" in the program. The scanning process allowed the developers to fix the bugs, then resubmit the projects for another analysis, he added.
Share this article:

Sign up to our newsletters

More in News

ICO fines U.K. travel firm £150,000 for 2012 breach

Data on more than one million credit and debit cards was pilfered in the 2012 breach of a system Think W3 Limited.

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.