Synopsys today announced that the results of its 2017 Coverity Scan Report showed significant adoption of secure software development practices, underscoring the importance of managing OSS risk.
“Due to the ubiquity of open source and the vital role it plays in virtually all types of software, understanding and managing its risks can no longer be optional,” said Andreas Kuehlmann, senior vice president and general manager of the Synopsys Software Integrity Group. “The Coverity Scan Report highlights the progress of some of the most mature and widely used open source projects, and it provides invaluable insights for the broader software community that depends on the integrity of open source.”
This comes at a particularly interesting time in the world of open-source code, which technology giants such as Microsoft and Google have embraced in recent years as a form of ‘cyber-philanthropy’, but security giant McAfee have announced they will no longer provide their code for review to foreign governments, in a move that some have labelled a massive blow to the culture of open-source software.
Key findings from the Coverity Scan Report include:
- Active projects within Scan show significant adoption of secure software development practices. Since January 2016, 4,117 active projects have submitted builds for analysis. Of those, nearly 50 percent (2,049) use Travis CI, indicating using of continuous integration/continuous deployment (CI/CD) practices. Other 2,509 projects have been triaged, which require developers to have intimate knowledge of the codebase. Additionally, 1,120 projects were configured to make use of modeling, a mechanism for improving the quality of their analysis results.
- Key behaviors indicate increasing maturity of OSS projects. The adoption of CI/CD and remediation of actionable defects by developers highlight the value of static analysis to the OSS ecosystem. Other measures of maturity such as development and community metrics are required to characterize the risks associated with OSS consumption.
- Commercial and OSS ecosystems are converging. According to some of the largest commercial users of Coverity, software shipped to customers can contain up to 90 percent open source code. In addition, there are now companies founded entirely on OSS proving that OSS is now the norm.
All of the above constitute something unusual in the security world- Relatively good news! We can only hope that the OSS project continues to go from strength to strength.
