All of which proves that there are lies, damn lies, and statistics (the statistic being the lower bug density, which ignores the most potentially vulnerable parts of the system).
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gavin, Michael > Sent: Tuesday, March 07, 2006 11:49 AM > To: Kenneth R. van Wyk; Secure Coding Mailing List > Subject: RE: [SC-L] ZDNET: LAMP lights the way in open-source > security > > The Coverity product (Coverity Prevent) is a static source > code analysis tool for C and C++, see > http://www.coverity.com/library/pdf/coverity_prevent.pdf. > > It isn't actually scanning (or if it is, it isn't analyzing) > any of the scripting code, as far I as can tell. > > Michael > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth R. van Wyk > Sent: Tuesday, March 07, 2006 10:56 AM > To: Secure Coding Mailing List > Subject: [SC-L] ZDNET: LAMP lights the way in open-source security > > Interesting article out on ZDNet today: > > http://www.zdnetasia.com/news/security/0,39044215,39315781,00.htm > > The article refers to the US government sponsored study being > done by Stanford University, Symantec, and Coverity. It > says, "The so-called LAMP stack of open-source software has a > lower bug density--the number of bugs per thousand lines of > code--than a baseline of 32 open-source projects analyzed, > Coverity, a maker of code analysis tools, announced Monday." > > This surprised me quite a bit, especially given LAMP's > popular reliance on scripting languages PHP, Perl, and/or > Python. Still, the article doesn't discuss any of the root > causes of the claimed security strengths in LAMP-based code. > Perhaps it's because the scripting languages tend to make > things less complex for the coders (as opposed to more > complex higher level languages like Java and C#/.NET)? Opinions? > > Cheers, > > Ken > -- > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
