Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Examining Open Source Security and the Road Ahead

DZone's Guide to

Examining Open Source Security and the Road Ahead

How secure is your open source code? This is becoming an increasingly important question. Read on for a synopsis of Coverity's latest Scan Report.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Coverity Scan's impact on open source software (OSS) is both extensive and largely unacknowledged. Since its inception, Scan has enabled developers to fix over 600,000 defects across some of the most important projects in open source. As part of that effort, it has also helped improve the maturity of the software development practices of active OSS contributors by supporting the continuous integration of analysis results and the accurate identification of discovered issues.

What About False Positives?

The effectiveness of Scan's static analysis is reflected in the low false-positive rate of under 10% over 700 million lines of code currently managed by Scan. Given the modest number of developers versus the relative size of the individual source codebases, Scan is proof that only a few developers are required to make a significant improvement to the entire OSS ecosystem. The accuracy of our results translates directly into actionable developer guidance.

Translating Accuracy Into Actionable Developer Guidance

Approaching project maturity from the perspective of static analysis leads us to measure improvements to OSS projects using the metric of defect density. While this provides some useful information regarding improvements in the quality of code, it is far from complete. From a broader perspective of maturity, we need to consider additional metrics.

The 2017 Coverity Scan Report discusses various aspects of the community and projects related to Scan. It highlights both the contribution Scan has made to the maturity of the development practices of OSS projects and the impact it has had on the quality of the OSS ecosystem. It additionally examines historical perspectives regarding the use of defect density as the sole measure of quality.

Within this report, we'll expand on the perspective required to measures OSS project risk and examine initiatives from the Linux Foundation that may potentially be incorporated into Scan to provide a holistic view of a project.

It is becoming crucial to be able to assess risks associated with the consumption of OSS. The potential to provide a holistic view of software risk and maturity by combining information from multiple dimensions will be essential as OSS becomes ever more pervasive in technology.

Highlights From the 2017 Coverity Scan Report

The Coverity Scan Report includes analysis of approximately 760 million lines of open source code across several languages, including C/C++, C#, Java, JavaScript, Ruby, PHP, and Python. From these findings, we deduced that:

  • Active projects within Scan show significant adoption of secure software development practices.
  • The adoption of CI/CD and remediation of actionable defects by developers highlight the value of static analysis to the OSS ecosystem.
  • Software shipped to customers can contain up to 90% open source code and some new companies have been founded entirely on OSS-proving that OSS is now the norm.
Join us on November 8, 2017, at 12 pm PDT for a live Q&A with Synopsys open source solution manager and Coverity Scan Report author, Mel Llaguno.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
application security ,security ,open source security ,sast

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}