Comments on: Open Source Code Contains Security Holes

By: jeremy

jeremy — Mon, 21 Jan 2008 15:16:21 +0000

I wouldn’t say that defects per line of code is *completely* irrelevant, but you certainly need to take it for what it is… and nothing more. Generally speaking, less defects should mean less vulnerabilities and also less critical vulnerabilities. Of course, specific cases may very, but I think the track record of the projects mentioned bares out this general case.

–jeremy

By: dysk

dysk — Mon, 21 Jan 2008 01:37:28 +0000

Neat article, however defects per line of code is somewhat of an irrelevant benchmark. For one, lines of code is only a measure of a program’s complexity in the broadest sense, and one remotely accessible vulnerability is enough to leave you in serious trouble.

For another, the number of defects entirely leaves out the severity of each defect, as by this metric a remotely exploitable root code execution defect gets the same weight as the use of an uninitialized variable.

By: jeremy

jeremy — Wed, 16 Jan 2008 00:32:56 +0000

Well, that’s part of the issue. Numbers like that are not usually available for proprietary software, since the code to run the tests is not openly available. Even if a company gave the source to Coverity to test for internal knowledge, they would almost never publicly release the numbers.

–jeremy

By: rshame

rshame — Tue, 15 Jan 2008 12:36:53 +0000

jeremy,

I’d like to ask you to introduce (if you have them) the numbers of defect rate in non-Open Source software for the sake of healthy comparison. Obviously to the reader numbers such as .127 per thousand lines sound bold: they sound to me as no defective at all. I’ll starve to know how much the defect rate sounds for a – for instance – Microsoft software. Do you have this? Great article, by the way, thanks a lot for sharing.