Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities

Reviewing literature on open source and closed source security reveals that the discussion is often determined by biased attitudes toward one of these development styles. The discussion specifically lacks appropriate metrics, methodology and hard data. This paper contributes to solving this problem by analyzing and comparing published vulnerabilities of eight open source software and nine closed source software packages, all of which are widely deployed. Thereby, it provides an extensive empirical analysis of vulnerabilities in terms of mean time between vulnerability disclosures, the development of disclosure over time, and the severity of vulnerabilities, and allows for validating models provided in the literature. The investigation reveals that (a) the mean time between vulnerability disclosures was lower for open source software in half of the cases, while the other cases show no differences, (b) in contrast to literature assumption, 14 out of 17 software packages showed a significant linear or piecewise linear correlation between time and the number of published vulnerabilities, and (c) regarding the severity of vulnerabilities, no significant differences were found between open source and closed source.

[1]  Richard M. Stallman Free software foundation (FSF) , 2003 .

[2]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[3]  Mitsuhiro Kimura Software vulnerability: Definition, modelling, and practical evaluation for e-mail transfer software , 2006 .

[4]  Erland Jonsson,et al.  On the functional relation between security and dependability impairments , 1999, NSPW '99.

[5]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[6]  Dmitri Nizovtsev,et al.  To Disclose or Not? An Analysis of Software User Behavior , 2006, Inf. Econ. Policy.

[7]  Robert L. Glass,et al.  A look at the economics of open source , 2004, CACM.

[8]  Paul Kavanagh,et al.  The Open Source Definition , 2004 .

[9]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[10]  Guido Schryen,et al.  Open source vs. closed source software: towards measuring security , 2009, SAC '09.

[11]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[12]  Karim R. Lakhani,et al.  Perspectives on Free and Open Source Software , 2005 .

[13]  Brian Fitzgerald,et al.  Open and Closed Systems Are Equivalent (That Is, in an Ideal World) , 2007 .

[14]  Carl E. Landwehr,et al.  Does Open Source Improve System Security? , 2001, IEEE Softw..

[15]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[16]  Indrajit Ray,et al.  Security Vulnerabilities in Software Systems: A Quantitative Perspective , 2005, DBSec.

[17]  R. Anderson Open and Closed Systems Are Equivalent (that Is, in an Ideal World) , 2004 .

[18]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[19]  Michael Schwarz,et al.  Half a Century of Public Software Institutions: Open Source as a Solution to Hold-Up Problem , 2009 .

[20]  Christian Payne,et al.  On the security of open source software , 2002, Inf. Syst. J..

[21]  K Okumoto,et al.  TIME-DEPENDENT ERROR-DETECTION RATE MODEL FOR SOFTWARE AND OTHER PERFORMANCE MEASURES , 1979 .

[22]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[23]  Jesus M. Gonzalez-Barahona Free Software / Open Source: Information Society Opportunities for Europe? , 2000 .

[24]  Eric S. Raymond,et al.  The cathedral and the bazaar - musings on Linux and Open Source by an accidental revolutionary , 2001 .