Secure Coding mailing list archives
Economics of Software Vulnerabilities
From: coley at linus.mitre.org (Steven M. Christey)
Date: Wed, 21 Mar 2007 13:53:00 -0400 (EDT)
On Tue, 20 Mar 2007, Wall, Kevin wrote:
With rare exceptions, in general, I do not find that the open source community is that much more security consciousness than those producing closed source. Certainly this seems true if measured in terms of vulnerabilities and we measure "across the board" (e.g., take a random sampling from SourceForge) and not just our favorite security-related applications.
Indeed, CVE and any other refined vulnerability information source is chock full of open source products on SourceForge that have the most obvious security holes possible, and let's not forget the open source products that have gotten a bad reputation such as PHP-Nuke and Sendmail. Insecure programming is universal.
Where I _do_ see a remarkable difference is that the open source community seems to be in general much faster in getting security patches out once they are informed of a vulnerability.
Seems to, yes, based on statistics of publicly reported vulns. Unfortunately I can't remember the studies at the moment :( - Steve
Current thread:
- Economics of Software Vulnerabilities, (continued)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 19)
- Economics of Software Vulnerabilities Ed Reed (Mar 20)
- Economics of Software Vulnerabilities Arian J. Evans (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities mudge (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 20)
- Economics of Software Vulnerabilities Wall, Kevin (Mar 20)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities security curmudgeon (Mar 23)
- Economics of Software Vulnerabilities Gunnar Peterson (Mar 23)
- Economics of Software Vulnerabilities Michael S Hines (Mar 20)
- Economics of Software Vulnerabilities ljknews (Mar 20)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 27)