14 DAY TRIAL // Is it time to forget about security altogether and throw the antivirus out the window just because of open source? Well, Microsoft says not yet. Michael Howard, Senior Security Program Manager in the Security Engineering group at Microsoft, reacted with a chuckle to the news associated with a collaboration between Coverity, a company dealing with improving security and software quality, and US Department of Homeland Security (DHS). Coverity claims that via the new version of Coverity Prevent it has identified and "resolved quality issues and potential security vulnerabilities in 11 major open-source projects", including Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.
As a direct result, the 11 open source projects were permitted access to Advanced New Static Analysis Capabilities. "All of these projects eliminated multiple classes of potential security vulnerabilities and quality defects from their code at the Coverity Scan site. Because of their efforts to proactively ensure application integrity and security, organizations and consumers can now select these open source applications with even greater confidence", Coverity claimed in a press release.
Howard replied: "open-source projects certified as secure - huh?" Then, he mocked Coverity's approach and, implicitly, the security levels reported to be achieved by the 11 open-source initiatives with "so we finally have the security silver bullet!" A silver bullet solution in terms of securing software products is nothing short of a far-fetched possibility. In the same line, Frank Fischer, Manager for Technical Evangelism at Microsoft Germany, also mocked the existence of a tool that will deliver impenetrable and flawless software saying "forget about security - we have a tool..."
"There are three big problems with this line of thought. First, the security bugs found are only the security bugs found by the tool, and that list is always smaller than the list of all bugs. Second, it assumes that any new code or code changes are bug free. Which may or may not be true. In my experience, it is rarely true that new code is utterly bug free if you don't take a holistic, process-oriented view to security. Third, and this is probably the most important, at best the tool understands a subset of today's vulnerabilities; that could all change tomorrow when a new class of vulnerability or a subtle variant is found", Howard argued.