Open source software security tops commercial apps, study finds

New study results from Veracode Inc. show that open source software security tops the security offered in commercial applications.

An analysis of more than 1,600 open source applications has substantiated what open source advocates have claimed for many years: Open source software is more secure than commercially available code, and when errors in code are found, they get fixed faster as well.

The findings come from a study carried out by Veracode Inc., which operates a cloud-based service to detect vulnerabilities in application code. Users of the service include Barclays plc, Nokia Corp. and The Goldman Sachs Group Inc.

In the study, dubbed "The State of Software Security," the vendor analysed a mixture of open source, internally developed and commercial software and discovered most of it would be vulnerable to serious application-level attacks, and contained flaws that left it open to common attack techniques, such as SQL injection or cross-site scripting.

When evaluated against the CWE/SANS top 25 most dangerous programming errors list, which is compiled by the US-based SANS Institute, 39% of open source code had acceptable levels of security, while the level for commercial software was 38%, and 31% for internally developed applications.

Open source applications also contained the fewest potential hacker-friendly backdoors of the three categories of software. In addition, when vulnerabilities were discovered in open source code, the errors were remedied within 36 days on average, compared with 48 days for internally developed code, and 82 days for commercial software.

"The relative absence of potential backdoors is apparent testimony to the positive effect of transparency in the open source community," read the report.

The study found that 40% of all applications in large enterprises were supplied by third parties, and more than 30% of internally developed applications contained some commercial and open source code within them. "Most companies depend on third-party software to some extent, and this creates an exposure for them [to be attacked]," said Matt Moynahan, CEO of Veracode. "The liability in the software supply chain is as messy as the supply chain in the auto parts industry."

The State of Software Security report from Veracode is based on analysing billions of lines of code provided by Veracode's customers, and the vendor says it will now repeat the exercise every six months. The company used a variety of static, dynamic and manual testing methodologies on a wide range of application types -- including components, shared libraries, Web and non-Web applications -- and programming languages, including Java, C/C++ and .Net.

Read more on Application security and coding requirements