Fall in open source errors boosts security

The number of security vulnerabilities in open-source software has dropped 16 per cent in two years, claims a recent audit of code defects.

The annual report, commissioned by the US Department of Homeland Security and carried out by software firm Coverity, looks for defects and vulnerabilities in open-source projects using analytical tools which automatically detect various common errors in source code.

Coverity's 2008 report surveyed 55 million lines of code, and found 0.25 errors per 1,000 lines of code, a 16 per cent fall on the 0.3 errors found only two years ago.

"These findings represent an overall reduction of static analysis defect density across 250 open-source projects of a total of 23,068 individual defects," explained the report, which lists null pointer deference and resource leaks as the two most common errors found in projects today.

As well as the average number of defects falling it was also found that some projects managed to reduce this number, known as the defect density, to zero. Perl, PHP and Samba were all noted by the company as performing particularly well and having an extremely low defect density.

Perhaps the most interesting possibility for automatic analysis of errors is a comparison between open source and commercial code, to finally answer the debate of which is the most secure conclusively, although Coverity explained that this is unlikely to happen in the near future.

"Many developers have an opinion about the differing quality and security of open source versus commercial software, and a number of theories have been hypothesised to justify the superiority of one class of code over another," the report said.

"However, comparing these two classes of code is impossible for the purposes of this report, primarily due the difficulty involved in obtaining comparable datasets."