Over a million developers have joined DZone.

Examining Open Source Security and the Road Ahead

DZone's Guide to

Examining Open Source Security and the Road Ahead

How secure is your open source code? This is becoming an increasingly important question. Read on for a synopsis of Coverity's latest Scan Report.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Coverity Scan's impact on open source software (OSS) is both extensive and largely unacknowledged. Since its inception, Scan has enabled developers to fix over 600,000 defects across some of the most important projects in open source. As part of that effort, it has also helped improve the maturity of the software development practices of active OSS contributors by supporting the continuous integration of analysis results and the accurate identification of discovered issues.

What About False Positives?

The effectiveness of Scan's static analysis is reflected in the low false-positive rate of under 10% over 700 million lines of code currently managed by Scan. Given the modest number of developers versus the relative size of the individual source codebases, Scan is proof that only a few developers are required to make a significant improvement to the entire OSS ecosystem. The accuracy of our results translates directly into actionable developer guidance.

Translating Accuracy Into Actionable Developer Guidance

Approaching project maturity from the perspective of static analysis leads us to measure improvements to OSS projects using the metric of defect density. While this provides some useful information regarding improvements in the quality of code, it is far from complete. From a broader perspective of maturity, we need to consider additional metrics.

The 2017 Coverity Scan Report discusses various aspects of the community and projects related to Scan. It highlights both the contribution Scan has made to the maturity of the development practices of OSS projects and the impact it has had on the quality of the OSS ecosystem. It additionally examines historical perspectives regarding the use of defect density as the sole measure of quality.

Within this report, we'll expand on the perspective required to measures OSS project risk and examine initiatives from the Linux Foundation that may potentially be incorporated into Scan to provide a holistic view of a project.

It is becoming crucial to be able to assess risks associated with the consumption of OSS. The potential to provide a holistic view of software risk and maturity by combining information from multiple dimensions will be essential as OSS becomes ever more pervasive in technology.

Highlights From the 2017 Coverity Scan Report

The Coverity Scan Report includes analysis of approximately 760 million lines of open source code across several languages, including C/C++, C#, Java, JavaScript, Ruby, PHP, and Python. From these findings, we deduced that:

  • Active projects within Scan show significant adoption of secure software development practices.
  • The adoption of CI/CD and remediation of actionable defects by developers highlight the value of static analysis to the OSS ecosystem.
  • Software shipped to customers can contain up to 90% open source code and some new companies have been founded entirely on OSS-proving that OSS is now the norm.
Join us on November 8, 2017, at 12 pm PDT for a live Q&A with Synopsys open source solution manager and Coverity Scan Report author, Mel Llaguno.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

application security ,security ,open source security ,sast

Published at DZone with permission of Liz Samet, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}