Study: Linux the Safest Out There
Page 1 of 1
A new study has found that Linux is more secure than most commercial software -- results that echo what its proponents have long said.
A four-year study released today by Coverity, reports Linux has a low bug count, making the code more stable and secure. The 2.6 Linux production kernel, now being shipped with software from Novell and other Linux vendors, contains 985 bugs in 5.7 million lines of code, far below the industry average, said Seth Hallem, Coverity's CEO.
"Our findings show that Linux contains an extremely low defect rate and is evidence of the strong security of Linux," Hallem said. "Many security holes in software are the result of software bugs that can be eliminated with good programming processes."
Commercial software contains 20 to 30 bugs for every thousand lines of code, according to Carnegie Mellon University's CyLab Sustainable Computing Consortium. That is the equivalent to 114,000 to 171,000 bugs in 5.7 million lines of code.
"Linux has continually improved over the period since we first began analyzing it," Hallem said, adding that open source has a big advantage, because so many eyes had the opportunity to search it for flaws.
Of the bugs found in the Linux production, 627 are found in critical parts of the kernel; 569 could could result in a system crash; 100 were security holes and 33 were buffer overruns, Coverity said.
Hallem said most of the bugs found during the study would be cleared by members of the open source community.
Andrew Morton, lead Linux kernel maintainer, said developers had already addressed the top-priority bugs discovered in the study.
"This is a benefit to the Linux development community, and we appreciate Coverity's efforts to help us improve the security and stability of Linux," he said in a statement.
Hallem says Coverity will begin providing bug analysis reports on a regular basis and make a summary of the results freely available to the Linux development community.
"Key Linux developers can now use the same tools that many of the world's largest commercial IT vendors have integrated into their software development process," Hallem said.
The Linux source code analysis project started in 2000 at the Stanford University Computer Science Research Center as part of a research initiative to improve software engineering processes in the software industry, said Hallem.