A code analysis software company called Coverity recently published a generally favorable report on the number of security flaws in the FreeBSD code base. It found 306 flaws or about 1 for every 4K lines of code. Linux by comparison had 950 flaws for what I’m guessing is a larger code base.
What can you take away from a report like this?
- It is a good thing to think about code quality as early as possible
- It is a really good thing if you can do code quality analysis at compile time
- 306 security flaws may not all be real flaws and still require human analysis
- FreeBSD would seem to live up to its reputation for good security. Of the 306 flaws, only 5 could be triggered by user input and 12 were buffer overruns
They mentioned how Microsoft is using PREfast and PREfix for code analysis. This is mostly true and it indeed does help. However, they don’t address the problem I saw at MS and I’m sure exists elsewhere. You game the system to some degree. You do what you need to pass the tests so you can check in and move along. It means that you can hack the problem enough to satisfy the security checker but not necessarily really solve the problem.
I think code quality tools can be very useful if used wisely. The company I work for is looking at adding these into the mix as part of our certification process. But you can’t rely on these as an alternative to doing thorough test analysis.
Post a Comment