I love that: There is finally software that is free of bugs and completely secure. Hmm, this kind of reminds me of the world-famous marketing campaign of a big software company which called itself “unbreakable”. However, let’s be fair:
There is an article out there called 11 open-source projects certified as secure. I quote from there “Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.” This is nonsense and we all know it. This is for different reasons: Static source code analysis will never ever be able to find all vulnerabilities. Additionally the threat landscape changes. Even if we would be able to say “the software is secure” (which we will never be), this will be different tomorrow. Criminals are probably among the cleverest people when it comes to finding new ways of attacking our systems. Ways, we have never thought of when we planned for the system.
So, I tried to confirm the above statement on the websites of Coverty: http://www.coverity.com/index.html and http://scan.coverity.com/index.html and could not find the same statement, which I think is not bad – otherwise I would have doubted their capacity.
Actually, Michael Howard commented on that as well: “Open-source projects certified as secure” – huh?
So, to summarize: I am not in the position to assess the quality of Coverty’s capabilities and the quality of their tools and processes. The only think I know for sure is that this article is crap
BTW: Stop looking for the Security Silver Bullet – I do not want to lose my job J