[Coverity](http:\/\/www.coverity.com) has published it’s [Open Source Scan Report 2008](http:\/\/coverity.com\/library\/pdf\/Coverity-Scan_Open_Source_Report_2008.pdf), which details the security status of several open source projects. Here’s my summary:<\/p>\n
* The overall security of open source projects is improving.
\n* There’s a linear relationship between the amount of code and the amount of bugs.
\n* Surprisingly, there’s no relation between function length and defect density.<\/p>\n
Projects with exceptionally low defect density include Amanda, NTP, OpenPAM, OpenVPN, Perl, PHP, Python, TCL, Postfix, Samba, curl, libvorbis and vim.<\/p>\n
The top two security defects are<\/p>\n
1. NULL pointer dereference
\n2. Resource leak<\/p>\n
I got to preview [Coverity Prevent](http:\/\/www.coverity.com\/html\/prod_prevent.html) at a previous job, and it rocks at finding real bugs in code, with a very low rate of false positives.<\/p>\n","protected":false},"excerpt":{"rendered":"
[Coverity](http:\/\/www.coverity.com) has published it’s [Open Source Scan Report 2008](http:\/\/coverity.com\/library\/pdf\/Coverity-Scan_Open_Source_Report_2008.pdf), which details the security status of several open source projects. Here’s my summary: * The overall security of open source projects is improving. * There’s a linear relationship between the amount of code and the amount of bugs. * Surprisingly, there’s no relation between function length … <\/p>\n