Open source software security tops commercial apps, study finds

By Ron Condon, U.K. Bureau Chief 15 Mar 2010 | SearchSecurity.co.UK

Security UK News Digg This!     StumbleUpon     Del.icio.us

An analysis of more than 1,600 open source applications has substantiated what open source advocates have claimed for many years: Open source software is more secure than commercially available code, and when errors in code are found, they get fixed faster as well.

The findings come from a study carried out by Veracode Inc., which operates a cloud-based service to detect vulnerabilities in application code. Users of the service include Barclays plc, Nokia Corp. and The Goldman Sachs Group Inc.

In the study, dubbed "The State of Software Security," the vendor analysed a mixture of open source, internally developed and commercial software and discovered most of it would be vulnerable to serious application-level attacks, and contained flaws that left it open to common attack techniques, such as SQL injection or cross-site scripting.

When evaluated against the CWE/SANS top 25 most dangerous programming errors list, which is compiled by the US-based SANS Institute, 39% of open source code had acceptable levels of security, while the level for commercial software was 38%, and 31% for internally developed applications.

Open source applications also contained the fewest potential hacker-friendly backdoors of the three categories of software. In addition, when vulnerabilities were discovered in open source code, the errors were remedied within 36 days on average, compared with 48 days for internally developed code, and 82 days for commercial software.

"The relative absence of potential backdoors is apparent testimony to the positive effect of transparency in the open source community," read the report.

The study found that 40% of all applications in large enterprises were supplied by third parties, and more than 30% of internally developed applications contained some commercial and open source code within them. "Most companies depend on third-party software to some extent, and this creates an exposure for them [to be attacked]," said Matt Moynahan, CEO of Veracode. "The liability in the software supply chain is as messy as the supply chain in the auto parts industry."

The State of Software Security report from Veracode is based on analysing billions of lines of code provided by Veracode's customers, and the vendor says it will now repeat the exercise every six months. The company used a variety of static, dynamic and manual testing methodologies on a wide range of application types -- including components, shared libraries, Web and non-Web applications -- and programming languages, including Java, C/C++ and .Net.

Tags: Secure Coding and Application Programming,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure Coding and Application Programming Using resource allocation management to prevent DoS and other attacks Static analysis tools boost security, but integration still an issue Improving software with the Building Security in Maturity Model (BSIMM) How to prevent Adobe hacks from affecting your organisation SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent XSS attacks

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary