Research Shows FOSS Bugs Get Rapid Response, Commercial Software Not So Much
Not that this should surprise anyone familiar with the open source community, but a new study shows bugs in open source software get fixed more quickly than issues in commercial software. Technology news Web site V3.co.uk got an early look at the results of research conducted by application security firm Veracode, which indicate "security issues in open-source software typically take less than a week to remediate and report on, or three man hours of effort."
The news isn't all rosy, however. Evidently, only 24 percent of open source projects meet "an acceptable level of security" compared to an equally dismal 23 percent of commercial software. "All code is pretty bad, whether commercial or open-source, but the fixes are done more quickly and efficiently with open source. There are more eyeballs on the code, and [programmers] seem to take more pride in their work," Veracode president and chief executive Matt Moynahan told V3.co.uk.
The security of open source software is a hotly debated subject, and often noted as a (largely unqualified) reason to avoid FOSS solutions in enterprise. In the end, it's up to each company to assess the benefits vs. risks associated with whatever software choices are made, be it open source or commercial. The takeaway message from this study is that the FOSS community is clearly responsive to reported issues and ready to act swiftly to correct them.
Computer and security expert Bruce Schneier, often considered the final word on these issues, once said, "I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice."