Coverity, Inc., makers of static code scanners, has announced the participation of the Mozilla project in a program to help improve the quality of the open source Firefox Web browser's 2 million lines of code.
Firefox recently became one of over 50 major open source packages analyzed by Coverity as part of a three-year contract awarded by the US Department of Homeland Security Science and Technology Directorate under its "Vulnerability Discovery and Remediation Open Source Hardening Project." In March 2006, Coverity began conducting regular scans of popular open source packages such as Firefox, Ruby, Perl, and Linux in an effort to better secure the software that powers critical infrastructure.
"Organizations should implement source code security scanning tools as part of the software development life cycle to find and fix the highest number of security issues early in the project," said Amrit T. Williams, Research Director, Security & Privacy, Gartner, Inc. "This will result in a higher quality product and lower overall application life cycle costs."
Coverity's flagship product, Coverity Prevent, scales to analyze millions of lines of code with 100 percent path coverage and is capable of detecting complex concurrency errors such as race conditions and deadlocks not easily identified or tested in normal use of the product.
"Firefox's success and growth is the result of our great community of users and developers that not only help discover and respond quickly to stability and security bugs, but provide new perspectives and ideas to improve the quality of Firefox," said Chris Hofmann, director of Special Projects at Mozilla. "Coverity is one of the many valuable resources our developers are now able to draw on to help fine tune Firefox."
"The results of our analysis have shown that the Firefox browser is very high quality software, especially given how complex it is," said Seth Hallem, CEO of Coverity. "More importantly, the Firefox team is proving that they take the quality and security of their code very seriously. By integrating source code analysis into their development process, they are demonstrating a commitment to sound development practices and to the steady improvement of their software."
[Software engineering based on risk management throughout the development process, including static code analysis, is gradually gaining ground and should hopefully become the norm within a foreseeable future. --Ed].
Related links: (Open in a new window.)
scan.coverity.com/
www.mozilla.org
Taken from Information Security Bulletin.