Google recently introduced “Google code search” providing static code analysis, including full regex, for any publicly available source code – trust me, hilarity will quickly ensue. Aaron Campbell from Arbor Networks has a good blog posting on the topic, and Gadi “Botslayer” Evron provides some links describing some of the fun folks are having with the new service. As with the full-disclosure debate it is almost pointless to argue whether this is good or bad, as I am sure there will be debate on both sides for the use of this service. The reality is that it is here and the open source community, or anyone who has publicly available source code, should brace themselves for an onslaught of vuln findings from kiddie@some*.edu.
I am a strong advocate of integrating security best practices and tools into the SDLC and I think we can draw a parallel to code quality in the mid-90’s to code security in the mid-2000’s. Near the end of the decade and into the next code security will be seen as a code quality issue and organizations will begin to weight code security, as an evaluation criteria, as high as features and functions within the next 2-3 years.