Open Source Code Contains Security Holes -- Open Source -- InformationWeek

[coley at linus.mitre.org (Steven M. Christey)]

Another question is how many of the reported bugs wound up being false
positives.  Through casual conversations with some vendor (I forget whom),
it became clear that the massive number of reported issues was very
time-consuming to deal with, and not always productive.  Of course this is
no surprise to people on this list, but important to note.

Regarding vendor responses - through my work in CVE, I've noticed that
eventually, a developer who's been "tagged" often enough will eventually
develop more systematic responses such as secure APIs, coding standards,
or at least a thorough review.  This is briefly touched on in the
Unforgivable Vulnerabilities paper that I gave at Black Hat USA last year,
where I discuss vulnerability complexity as a qualitative indicator of
software security.

- Steve