Software-as-a-Service (SaaS) security vendor Veracode has conducted a real world survey, sampling billions of lines of code across various types of applications (including open source) and has flagged up some substantial differences between the security levels of open source software and proprietary
The report which is available here – based on aggregated dated from real world applications – appears to suggest that open source software not inherently less secure than commercial software. No single software supplier excelled at delivering secure software upon first submission to Veracode’s SaaS based application scanning platform.
For example, using the CWE/SANS Top 25 as the benchmark, 61% of open source projects were not acceptable on first submission compared to 62% of commercial software. Veracode also found that the percentage of Very High Severity vulnerabilities for open source was 21%, compared to 20% for commercial – suggesting a degree of comparability.
On a positive note, open source project teams remediated security vulnerabilities faster than all other users of Veracode’s application risk management services platform. The company says that, “This is not surprising given the numerous political and organisational complexities of enterprise development efforts and the formal, customer-centric release plans of commercial software vendors.”