If there was any good that came out of Heartbleed, the vulnerability in OpenSSL that affected more than 500,000 websites, it’s that it put a bigger spotlight on the importance of software testing. As a result, experts are now combing through OpenSSL’s code, as well as the code of many other open source projects, to ensure that the bar on quality and security of publicly available source code is raised.
Built on the basis of contributed code, the fact is, no open source project will ever be fully impenetrable. However, there are four key components that the development community can act on to ensure that projects are up to date and potential defects are detected.
First, it’s important to know who is touching the code. With the open source community being so diverse, there are many different working styles. Therefore, there is a need for someone to own each project and provide architectural review.
Typically, there is a project maintainer (i.e. an individual, group or organization) backing an open source project, and there are contributors that build upon it. For the most part, too, open source projects are based on gradual trust. Therefore, finding and maintaining talent within the project is key.
While it is possible that there are bad actors in the open source community, it is also true that few project maintainers can vet every last line of code written by the contributors. That’s where sites like GitHub and CodePlex have made it easier to vet contributors and review their project work. Likewise, organizations such as the Linux Foundation and the Apache Software Foundation have connected expert developers from various companies to help foster quality open source code.
Time and Budget
With the right talent in place, the open source community must also find time to regularly review the code and, further, allocate time to update it. Failure to update promptly is a major cause of having vulnerable software in deployment.
Beyond having time, open source projects that have the support of open source foundations, such as the Linux Foundation’s role with Linux and Apache’s role with Hadoop, tend to have greater capabilities and tactics in place for ensuring code quality – particularly as there is an assigned budget for the project and, in some cases, developers that are getting paid for their contributions, like Red Hat with Linux or Cloudera with Apache Hadoop.
If an open source project does not have commercial backing, that doesn’t necessarily mean it’s unlikely to succeed. Commercial entities like Red Hat and Apache can help with the budget for servers, events and technical development that stand-alone open source developers may not be able to acquire with ease.
But even with skilled contributors on board, let’s face it, humans are prone to error. That includes developers who can write unintentional defects into their code, and if the bug goes undetected, it can leave the sites and software built off of it vulnerable.
The good news for open source projects is that there are a number of free tools available to ensure the integrity of the code, and many vulnerabilities and defects can be found in open source code. For code development, the GitHub platform is tremendously helpful. And for functional tests, the same applies with tools like Selenium. In static analysis, FindBugs is an open source tool that looks for bugs in Java. Similarly, the Clang Static Analyzer is a source code analysis tool that finds bugs in C, C++ and Objective-C programs.
Another way in which project maintainers and organizations can know if defects are being fixed is to register to observe one of the approximately 2,500 open source projects that have signed up for the Coverity Scan service, an initiative originally created in partnership with the U.S. Department of Homeland Security that now provides free code analysis for open source developers.
Project observers can view high-level statistics about the project quality, including the number of defects fixed, outstanding defects and defect density rate – all to support the open source community in building quality and security into their software development process.
Someday there will be another Heartbleed that causes the entire world to pause and patch. In the meantime, the open source community should not forget about problems they can easily avoid simply by taking the proper precautions – that is, the right talent armed with time, budget and testing tools – today.
Zack Samocha is the senior director of products at Coverity. In his current role, he defines the company product strategy and manages the Coverity open source Scan program which has grown under his leadership to 500 projects and 1,000 active users. Samocha initiated research comparing open source code quality with proprietary code. He started his career at Mercury Interactive. After Mercury, he served as the VP of products at Sauce Labs, where he worked closely with the Selenium open source community.