Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Economics of Software Vulnerabilities

From: coley at linus.mitre.org (Steven M. Christey)
Date: Wed, 21 Mar 2007 13:53:00 -0400 (EDT)

On Tue, 20 Mar 2007, Wall, Kevin wrote:


With rare exceptions, in general, I do not find that the
open source community is that much more security consciousness
than those producing closed source. Certainly this seems true
if measured in terms of vulnerabilities and we measure "across
the board" (e.g., take a random sampling from SourceForge) and
not just our favorite security-related applications.


Indeed, CVE and any other refined vulnerability information source is
chock full of open source products on SourceForge that have the most
obvious security holes possible, and let's not forget the open source
products that have gotten a bad reputation such as PHP-Nuke and Sendmail.
Insecure programming is universal.


Where I _do_ see a remarkable difference is that the open source
community seems to be in general much faster in getting security
patches out once they are informed of a vulnerability.


Seems to, yes, based on statistics of publicly reported vulns.
Unfortunately I can't remember the studies at the moment :(

- Steve
Previous By Date Next
Previous By Thread Next

Current thread: