Linux scores high marks for security

Despite an increase in the size of the basic Linux code in the past six months, it remains one of the most secure pieces of software available, according to a recent study by Coverity, a developer of source code analysis tools.

The study found that the most recent release of the Linux kernel is free of major defects, compared with the discovery of six critical defects at the end of December 2004. Even then, the open-source Linux was considered more secure than most commercially developed software.

The Linux kernel then was found to have 985 bugs in 5.7 million lines of code. In comparison, commercial software of a similar scope typically has as many as 171,000 bugs, according to Coverity.

In its study, the company analyzed the most recent version of the Linux kernel, 2.6.12, which had expanded to just more than 6 million lines of code, and found the same total number of bugs.

"Although the size of the Linux kernel increased over the six-month study, we noticed a significant decrease in the number of potentially serious defects in the core Linux kernel," said Seth Hallem, Coverity's chief executive officer. "Although [code] contributors introduced new defects, these were primarily in noncritical device drivers."

Companies such as Red Hat and Novell use the Linux kernel to develop their commercial versions of the Linux operating system.

Coverity's Linux study began in 2000 as a source code analysis project at Stanford University's Computer Science Research Center as part of an initiative to improve core software engineering processes.

Five of the lead Stanford researchers later started Coverity to commercialize the technology developed at the university. Using that technology, the Stanford research team developed the first system capable of automatically detecting critical defects in open-source projects such as Linux and FreeBSD.

Coverity officials said they will publish Linux bug analysis reports regularly and make the summary available for free to the Linux development community.

Robinson is a freelance journalist based in Portland, Ore. He can be reached at [email protected]

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.


  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

  • Workforce
    online collaboration (elenabsl/

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

Stay Connected