Open source projects suffer a higher proportion of high-severity security flaws than proprietary software but once found they tend to get fixed more rapidly, a new analysis has found.
The data comes from online software assessment company Veracode , which founded the Open Source Ratings Database with money from the US government, but now plans to publish a full report in early 2010. A preliminary ‘taster’ released by the company this week shows that both sectors have some way to go when it comes to security.
Seventy-six percent of enterprise-class open source projects did not meet an acceptable level of security on their first assessment, about the same as the seventy-seven percent of commercial applications showing the same issues. At this stage, fifty-three percent of open source and fifty-six percent of commercial apps contained at least one ‘high’ or ‘very high’ severity flaw.
Using industry benchmarks such as the CWE-SANS Top 25 and OWASP Top 10 as a way to define the worst security problems they found, open source projects fared better than commercial sector, though these flaws represent the ones the world gets to hear about.
Veracode’s own assessment of projects run through its code review service suggested that open source software was proportionally more likely to suffer from very high severity flaws, with 15 percent containing such problems, compared to only 5 percent for the commercial programmes. On the other hand, the company found that once informed, on average, open source teams were able to sort the issues within the space of only a week.
Flaw reporting to commercial organisations is still seen as a much more haphazard issue, which can result in problems either taking weeks or months to fix, and in some case, being ignored altogether until real-world exploits emerge.
“The data does not indicate that one method of development or source of software is ‘more secure’ than the other,” says the report, tactually. According to its authors, the message is that coding errors that introduce one of a number of security issues can usually be remediated fairly easily.
Veracode has a vested interest here, being the main pioneer in the emerging application testing market with its SecurityReview service. The company’s contention is that all software, whether in-house, outsourced, proprietary or open source, should be assessed for security issues before being put to use. The economics justification is that it is always cheaper to fix a problem during development than do it afterwards when it risks being exploited.
Also this week, the company discovered it has competition with the launch by tools company, Fortify Software , of its own software-as-a-service equivalent, Fortify on Demand.
Veracode’s Open Source ratings database now contains analyses from around 100 eneterprise-class open source applications, including Apache, JBoss, Firefox, Open SSL, Open VPN, MySQL, and many others.