Open source developers apparently don't adhere to best practices such as using static analysis and conducting regular security audits, found Coverity's Spotlight report, released Wednesday. <\/p>\n
The Coverity Scan service, which is available at no charge to open source projects, helped devs find and fix about 50,000 quality and security defects in code last year. <\/p>\n
That number can be attributed in part to continuous improvement, which lets users find previously undetected defects. Also, as projects mature, devs can focus on rooting out new defects. Another factor is that user registration for the Coverity service was quadruple that of 2012, noted Zach Samocha, senior director of products at Coverity. <\/p>\n
Coverity in June added its Security Advisor to the Coverity Scan service, which resulted in the discovery of almost 4,000 defects. The Security Advisor includes sophisticated analysis algorithms that help developers find and fix critical Web application security issues. <\/p>\n
Of the 4,000 discoveries, almost 2,400 of these were high-severity defects, while 1,330 were low severity, and the remaining 260 or so were medium severity. <\/p>\n
There have been several highly publicized open source vulnerabilities this year alone, including Heartbleed and Shellshock. <\/p>\n
Those two flaws impacted a large number of users because of the widespread implementation of open source software. <\/p>\n
\"We would like to see more open source projects sign up for the [Coverity Scan] service and incorporate the finding and fixing of defects into their standard process,\" Samocha told TechNewsWorld. More than 3,000 open source projects have signed up for the service, but \"there are many more.\" <\/p>\n
Security Advisor can find quality defects in C#, Java, C and C++ code, and it can spot security defects in Java, C and C++, Samocha said. <\/p>\n
Since June, Security Advisor has identified 688 OWASP Top 10 issues in 37 open source projects, including big data, network management and blog server projects. <\/p>\n
<\/p>\n