1078:
1068:
182:
bugs found in software. The level of quality and security is measured in rungs. Rungs do not have a definitive meaning, and can change as
Coverity releases new tools. Rungs are based on the progress of fixing issues found by the Coverity Analysis results and the degree of collaboration with Coverity. They start with Rung 0 and currently go up to Rung 2.
96:
It is argued that a system is most vulnerable after a potential vulnerability is discovered, but before a patch is created. By measuring the number of days between the vulnerability and when the vulnerability is fixed, a basis can be determined on the security of the system. There are a few caveats
181:
in collaboration with
Stanford University has established a new baseline for open-source quality and security. The development is being completed through a contract with the Department of Homeland Security. They are utilizing innovations in automated defect detection to identify critical types of
97:
to such an approach: not every vulnerability is equally bad, and fixing a lot of bugs quickly might not be better than only finding a few and taking a little bit longer to fix them, taking into account the operating system, or the effectiveness of the fix.
321:
Hansen, M., Köhntopp, K., & Pfitzmann, A. (2002). The Open Source approach – opportunities and limitations with respect to security and privacy. Computers & Security, 21 (5), 461–471. Retrieved 5 May 2008, from
Computer
76:, an expert on security system design and implementation, released his first public firewall toolkit. At one time, there were over 2,000 sites using his toolkit, but only 10 people gave him any feedback or patches.
51:
to create faulty executables that are unwittingly produced by a well-intentioned developer. With access to the source code for the compiler, the developer has at least the ability to discover if there is any
202:
At rung 1, there is collaboration between
Coverity and the development team. The software is analyzed with a subset of the scanning features to prevent the development team from being overwhelmed.
79:
Having a large amount of eyes reviewing code can "lull a user into a false sense of security". Having many users look at source code does not guarantee that security flaws will be found and fixed.
58:
is based on the idea that an enemy can steal a secure military system and not be able to compromise the information. His ideas were the basis for many modern security practices, and followed that
571:
650:
153:
rates mutual funds. With a large enough data set, statistics could be used to measure the overall effectiveness of one group over the other. An example of such as system is as follows:
109:
can be used to measure the rates at which different people find security flaws between open and closed source software. The process can be broken down by the number of volunteers N
869:
491:
708:
212:
There are 11 projects that have been analyzed and upgraded to the status of Rung 2 by reaching zero defects in the first year of the scan. These projects include: AMANDA,
303:
Hoepman, J.-H., & Jacobs, B. (2007). Increased
Security Through Open Source. Communications of the ACM, 50 (1), 79–83. Retrieved 5 May 2008, from ACM Digital Library.
276:
Cowan, C. (January 2003). Software
Security for Open-Source Systems. IEEE Security & Privacy, 38–45. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
640:
88:
There are a variety of models and metrics to measure the security of a system. These are a few methods that can be used to measure the security of software systems.
660:
546:
645:
628:
598:
496:
40:
forces the user to accept the level of security that the software vendor is willing to deliver and to accept the rate that patches and updates are released.
774:
608:
581:
561:
312:
Lawton, G. (March 2002). Open Source
Security: Opportunity or Oxymoron? Computer, 18–21. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
586:
192:
The project has been analyzed by
Coverity's Scan infrastructure, but no representatives from the open-source software have come forward for the results.
149:
By comparing a large variety of open source and closed source projects a star system could be used to analyze the security of the project similar to how
536:
506:
683:
655:
613:
556:
410:
1071:
1019:
949:
633:
593:
486:
974:
826:
889:
799:
794:
420:
618:
526:
884:
716:
623:
257:
463:
874:
698:
688:
472:
237:
1045:
899:
693:
1007:
914:
749:
290:
Witten, B., Landwehr, C., & Caloyannides, M. (2001, September/October). Does Open Source
Improve System Security?
1102:
904:
789:
566:
59:
375:
1039:
954:
939:
348:
1034:
831:
784:
769:
721:
531:
43:
It is assumed that any compiler that is used creates code that can be trusted, but it has been demonstrated by
55:
969:
1081:
816:
779:
678:
944:
739:
731:
670:
603:
213:
399:
332:
1107:
1029:
964:
959:
521:
48:
37:
20:
72:
Simply making source code available does not guarantee review. An example of this occurring is when
909:
511:
1067:
456:
233:
989:
836:
516:
150:
432:
754:
436:
241:
19:
is the measure of assurance or guarantee in the freedom from danger and risk inherent to an
1024:
379:
352:
106:
73:
821:
744:
395:
1096:
1052:
1013:
919:
576:
501:
449:
415:
894:
851:
764:
425:
44:
984:
811:
806:
441:
125:. The expected time that a volunteer group is expected to find a flaw is 1/(N
841:
133:) and the expected time that a paid group is expected to find a flaw is 1/(N
879:
759:
178:
372:
221:
217:
345:
846:
225:
445:
245:
229:
121:
and the rate that paid reviewers find a flaw is measured by λ
117:. The rates at which volunteers find a flaw is measured by λ
411:"Security of open-source software again being scrutinized"
294:, 57–61. Retrieved 5 May 2008, from Computer Database.
492:
Comparison of open-source and closed-source software
998:
932:
860:
730:
707:
669:
545:
479:
382:. Retrieved 18 May 2008, from Scan.Coverity.com.
367:
365:
363:
361:
166:4 Stars: Documented secure development process.
433:Census Project / Core Infrastructure Initiative
355:. Retrieved 18 May 2008, from Scan.Coverity.com
457:
169:5 Stars: Passed independent security review.
8:
497:Comparison of source-code-hosting facilities
333:Stalking the right software security metric
857:
464:
450:
442:
163:3 Stars: Follows best security practices.
47:that a compiler can be subverted using a
286:
284:
282:
335:. Retrieved 18 May 2008, from Raindrop.
269:
157:1 Star: Many security vulnerabilities.
92:Number of days between vulnerabilities
7:
1020:Microsoft Open Specification Promise
487:Alternative terms for free software
827:Python Software Foundation License
14:
890:Definition of Free Cultural Works
507:Free software project directories
1077:
1076:
1066:
527:Open-source software development
346:Accelerating Open Source Quality
885:Debian Free Software Guidelines
717:Free Software Movement of India
258:Open Source Security Foundation
1:
875:Contributor License Agreement
689:Open-source-software movement
473:Free and open-source software
160:2 Stars: Reliability issues.
17:Open-source software security
1046:The Cathedral and the Bazaar
900:The Free Software Definition
950:Mozilla software rebranding
915:Permissive software license
331:Peterson, G. (6 May 2008).
1124:
955:Proprietary device drivers
905:The Open Source Definition
400:"Open Source and Security"
60:security through obscurity
1062:
1040:Source-available software
940:Digital rights management
1035:Shared Source Initiative
832:Shared Source Initiative
785:Free Software Foundation
722:Free Software Foundation
572:Configuration management
409:Messmer, Ellen. (2013).
970:SCO/Linux controversies
870:Comparison of licenses
679:Free software movement
404:Crypto-Gram Newsletter
945:License proliferation
56:Kerckhoffs' principle
27:Implementation debate
1030:Open-source hardware
965:Proprietary software
960:Proprietary firmware
661:Formerly open-source
656:Formerly proprietary
522:Open-source software
419:, 30(5), 12-12,14. (
378:6 March 2016 at the
351:5 March 2016 at the
113:and paid reviewers N
38:Proprietary software
21:open-source software
910:Open-source license
512:Gratis versus libre
406:, 15 September 1999
371:Coverity. (n.d.).
344:Coverity. (n.d.).
84:Metrics and models
62:is a bad practice.
1103:Computer security
1090:
1089:
990:Trusted Computing
980:Software security
928:
927:
609:Operating systems
517:Long-term support
151:Morningstar, Inc.
145:Morningstar model
49:compiler backdoor
1115:
1080:
1079:
1070:
975:Software patents
858:
770:Creative Commons
629:Web applications
466:
459:
452:
443:
437:Linux Foundation
383:
369:
356:
342:
336:
329:
323:
319:
313:
310:
304:
301:
295:
288:
277:
274:
1123:
1122:
1118:
1117:
1116:
1114:
1113:
1112:
1093:
1092:
1091:
1086:
1058:
1025:Open-core model
1000:
994:
924:
862:
856:
726:
703:
665:
548:
541:
475:
470:
392:
387:
386:
380:Wayback Machine
373:Scan Ladder FAQ
370:
359:
353:Wayback Machine
343:
339:
330:
326:
320:
316:
311:
307:
302:
298:
289:
280:
275:
271:
266:
254:
176:
147:
140:
136:
132:
128:
124:
120:
116:
112:
107:Poisson process
103:
101:Poisson process
94:
86:
69:
34:
29:
12:
11:
5:
1121:
1119:
1111:
1110:
1105:
1095:
1094:
1088:
1087:
1085:
1084:
1074:
1063:
1060:
1059:
1057:
1056:
1049:
1042:
1037:
1032:
1027:
1022:
1017:
1010:
1004:
1002:
996:
995:
993:
992:
987:
982:
977:
972:
967:
962:
957:
952:
947:
942:
936:
934:
930:
929:
926:
925:
923:
922:
917:
912:
907:
902:
897:
892:
887:
882:
877:
872:
866:
864:
855:
854:
849:
844:
839:
834:
829:
824:
819:
814:
809:
804:
803:
802:
797:
792:
782:
777:
772:
767:
762:
757:
752:
747:
742:
736:
734:
728:
727:
725:
724:
719:
713:
711:
705:
704:
702:
701:
696:
691:
686:
681:
675:
673:
667:
666:
664:
663:
658:
653:
648:
643:
638:
637:
636:
626:
621:
616:
611:
606:
601:
596:
591:
590:
589:
584:
574:
569:
564:
562:Bioinformatics
559:
553:
551:
543:
542:
540:
539:
534:
529:
524:
519:
514:
509:
504:
499:
494:
489:
483:
481:
477:
476:
471:
469:
468:
461:
454:
446:
440:
439:
430:
407:
396:Bruce Schneier
391:
390:External links
388:
385:
384:
357:
337:
324:
314:
305:
296:
278:
268:
267:
265:
262:
261:
260:
253:
250:
210:
209:
200:
199:
190:
189:
175:
172:
171:
170:
167:
164:
161:
158:
146:
143:
138:
134:
130:
126:
122:
118:
114:
110:
102:
99:
93:
90:
85:
82:
81:
80:
77:
68:
65:
64:
63:
53:
52:mal-intention.
41:
33:
30:
28:
25:
13:
10:
9:
6:
4:
3:
2:
1120:
1109:
1106:
1104:
1101:
1100:
1098:
1083:
1075:
1073:
1069:
1065:
1064:
1061:
1055:
1054:
1053:Revolution OS
1050:
1048:
1047:
1043:
1041:
1038:
1036:
1033:
1031:
1028:
1026:
1023:
1021:
1018:
1016:
1015:
1014:GNU Manifesto
1011:
1009:
1006:
1005:
1003:
997:
991:
988:
986:
983:
981:
978:
976:
973:
971:
968:
966:
963:
961:
958:
956:
953:
951:
948:
946:
943:
941:
938:
937:
935:
931:
921:
920:Public domain
918:
916:
913:
911:
908:
906:
903:
901:
898:
896:
893:
891:
888:
886:
883:
881:
878:
876:
873:
871:
868:
867:
865:
859:
853:
850:
848:
845:
843:
840:
838:
835:
833:
830:
828:
825:
823:
820:
818:
815:
813:
810:
808:
805:
801:
798:
796:
793:
791:
788:
787:
786:
783:
781:
778:
776:
773:
771:
768:
766:
763:
761:
758:
756:
753:
751:
748:
746:
743:
741:
738:
737:
735:
733:
729:
723:
720:
718:
715:
714:
712:
710:
709:Organisations
706:
700:
697:
695:
692:
690:
687:
685:
682:
680:
677:
676:
674:
672:
668:
662:
659:
657:
654:
652:
649:
647:
644:
642:
639:
635:
632:
631:
630:
627:
625:
622:
620:
617:
615:
612:
610:
607:
605:
604:Office suites
602:
600:
597:
595:
592:
588:
585:
583:
580:
579:
578:
575:
573:
570:
568:
565:
563:
560:
558:
555:
554:
552:
550:
544:
538:
535:
533:
530:
528:
525:
523:
520:
518:
515:
513:
510:
508:
505:
503:
502:Free software
500:
498:
495:
493:
490:
488:
485:
484:
482:
478:
474:
467:
462:
460:
455:
453:
448:
447:
444:
438:
434:
431:
428:
427:
422:
418:
417:
416:Network World
412:
408:
405:
401:
397:
394:
393:
389:
381:
377:
374:
368:
366:
364:
362:
358:
354:
350:
347:
341:
338:
334:
328:
325:
318:
315:
309:
306:
300:
297:
293:
292:IEEE Software
287:
285:
283:
279:
273:
270:
263:
259:
256:
255:
251:
249:
247:
243:
239:
235:
231:
227:
223:
219:
215:
208:
205:
204:
203:
198:
195:
194:
193:
188:
185:
184:
183:
180:
174:Coverity scan
173:
168:
165:
162:
159:
156:
155:
154:
152:
144:
142:
108:
100:
98:
91:
89:
83:
78:
75:
71:
70:
66:
61:
57:
54:
50:
46:
42:
39:
36:
35:
31:
26:
24:
22:
18:
1051:
1044:
1012:
979:
895:Free license
641:Android apps
426:CIO magazine
424:
414:
403:
340:
327:
317:
308:
299:
291:
272:
224:, Overdose,
211:
206:
201:
196:
191:
186:
177:
148:
104:
95:
87:
74:Marcus Ranum
45:Ken Thompson
16:
15:
1108:Open source
985:Tivoization
624:Video games
599:Mathematics
1097:Categories
933:Challenges
651:Commercial
634:E-commerce
619:Television
264:References
863:standards
861:Types and
842:Unlicense
837:Sleepycat
671:Community
322:Database.
67:Drawbacks
1082:Category
999:Related
880:Copyleft
800:GNU LGPL
795:GNU AGPL
760:Beerware
755:Artistic
732:Licenses
699:Advocacy
646:iOS apps
587:Wireless
582:Graphics
549:packages
547:Software
537:Timeline
376:Archived
349:Archived
252:See also
179:Coverity
32:Benefits
23:system.
1008:Forking
790:GNU GPL
684:History
614:Routing
577:Drivers
532:Outline
480:General
421:Article
234:Postfix
222:OpenVPN
218:OpenPAM
1072:Portal
1001:topics
822:Python
745:Apache
694:Events
594:Health
567:Codecs
244:, and
238:Python
207:Rung 2
197:Rung 1
187:Rung 0
847:WTFPL
557:Audio
242:Samba
852:zlib
775:CDDL
750:APSL
226:Perl
105:The
817:MPL
812:MIT
807:ISC
780:EPL
765:BSD
740:AFL
435:by
423:at
246:tcl
230:PHP
214:ntp
141:).
1099::
413:.
402:,
398::
360:^
281:^
248:.
240:,
236:,
232:,
228:,
220:,
216:,
465:e
458:t
451:v
429:)
139:p
137:λ
135:p
131:v
129:λ
127:v
123:p
119:v
115:p
111:v
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.