Eleven projects made the list: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.
This list of projects may seem fair and equitable. And certainly, Perl, Postfix, Amanda and others can be very secure. But PHP? Granted, the project is done with a contract from DHS as well as association with Stanford University. And their certification boasts...
strong requirements especially for moving up the "rungs" on their "ladder." Is it all that it cracks up to be?
This ladder, however systematic, seems on the light end and is driven solely by Coverity's own logic and vocabulary. Some of the descriptions as to their criteria include that "projects progress to the next rung by selecting a set of official contacts to represent the project to Coverity." There is little to state what criteria is used, why this matter and how a project gains the next "rung."
This seems like a good effort, but the arbitrary nature of the rational in what actually makes these projects secure seems a little watered down. Heck, anyone can make a ladder...
Thoughts?
This ladder, however systematic, seems on the light end and is driven solely by Coverity's own logic and vocabulary. Some of the descriptions as to their criteria include that "projects progress to the next rung by selecting a set of official contacts to represent the project to Coverity." There is little to state what criteria is used, why this matter and how a project gains the next "rung."
This seems like a good effort, but the arbitrary nature of the rational in what actually makes these projects secure seems a little watered down. Heck, anyone can make a ladder...
Thoughts?
The link for this article located at CNET.com is no longer available.
