Tag Archives: Coverity

OSVDB Featured in the Open Source Business Resource (OSBR)

OSVDB is featured in the June issue of the Open Source Business Resource (OSBR) and is now available at the OSBR website. We were contacted and asked if we would like to include our original OSVDB Aims white paper in the issue. This was really the prompting that we needed to take the time to update the project’s successes since the launch and provide some additional information about the future of OSVDB.

We would like to thank Dru Lavigne and OSBR for their support and encourage you to take a look at the issue. The OSVDB article can be found at: http://www.osbr.ca/ojs/index.php/osbr/article/view/607/568

OSBR’s editorial theme for June is “Security” and here is a listing from the table of contents:

Jake Kouns, president of the Open Security Foundation, introduces the Open Source Vulnerability Database Project. David Maxwell, Open Source Strategist at Coverity, discusses the findings from Coverity’s analysis of over 55 million lines of open source code. Robert Charpentier from Defence Research Establishment Valcartier and Mourad Debbabi, Azzam Mourad and Marc-André Laverdière from Concordia University present a summary of their research into providing security hardening for the C programming language. Frederic Michaud and Frederic Painchaud from Defence Research and Development Canada describe their evaluation of automated tools that search for security bugs. Key messages from Carleton University’s Stoyan Tanev’s recent presentation on technology marketing trends and the Eclipse Foundation’s Ian Skerrett’s presentation on building successful communities. Michael Geist, Canada’s Research Chair of Internet and E-commerce Law, explains why the proposed Bill C-61 does not address the rights of Canadians. Alan Morewood from Bell Canada provides an example of open source meeting a business need.

Next months editorial theme is “Accessibility” – contact the OSBR Editor if you are interested in a submission.

US Government Studies Open Source Quality

US Government Studies Open Source Quality reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled Homeland Security report tracks down rogue open source code. The author of the article, Gavin Clarke, doesn’t link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under ‘Library’, there is a link titled NEW >> Open Source Quality Report. Clicking that, you are faced with “request information”, checking the “Open Source Quality Report” box (one of seven boxes including “Request Sales Call” as the first option, and “Linux Security Report” is the default checked box), and then filling out 14 fields of personal information, 10 of which are required.

So, let me get this straight. My tax dollars fund the Department of Homeland Security. The DHS opts to spend $1.24 million dollars on security research, by funding a university and two commercial companies. One of the commercial companies does research into open source software, and creates a report detailing their findings. To get a copy of this report, you must give the private/commercial company your first name, last name, company name, city, state, telephone, how you heard about them, email address, and a password for their site (you can optionally give them your title, and “describe your project”).

Excuse me, but it should be a CRIME for them to require that kind of personal information for a study that I helped fund via my tax dollars. Given this is a study of open source software, requiring registration and giving up that kind of personal information is doubly insulting. Coverity, you should be ashamed at using extortion to share information/research that should be free.

Even worse, your form does not accept RFC compliant e-mail addresses (RFC 822, RFC 2142 (section 4) and RFC 2821). Now I have to add your company to my “no plus” web page for not even understanding and following 24 year old RFC standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?!

Oh, if you don’t want to go through all of that hassle, you can grab a copy of the PDF report anyway.

DHS & Your Tax Dollars

Full Article

Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity’s commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com.

The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.

The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said.

So DHS uses $1.24 million dollars to fund a university and two commercial companies. The money will be used to develop source code auditing tools that will remain private. Coverity and Symantec will use the software on open-source software (which is good), but is arguably a huge PR move to help grease the wheels of the money flow. Coverity and Symantec will also be able to use these tools for their customers, which will pay them money for this service.

Why exactly do my tax dollars pay for the commercial development of tools that are not released to the public? As Ben Laurie states, why can’t he get a copy of these tax payer funded tools to run on the code his team develops? Why must they submit their code to a commercial third party for review to get any value from this software?

Given the date of this announcement, coupled with the announcement of Stanford’s PHP-CHECKER makes me wonder when the funds started rolling. There are obviously questions to be answered regarding Stanford’s project (that I already asked). This also makes me wonder what legal and ethical questions should be asked about tax dollars being spent by the DHS, for a university to fund the development of a security tool that could potentially do great good if released for all to use.

It’s too bad there is more than a year long wait for FOIA requests made to the DHS.