Open source less secure than commercial software, claims report

Coverity report claims commercial software 'more in compliance' with security standards than open source

Open-source software is more insecure than in-house developed or commercial software, according to analysis by Coverity - a maker of commercial software testing tools. Commercial software makers also deal with security issues more quickly, according to Coverity.

However, at the same time, the report concluded that open-source software has a significantly lower "defect density" than commercial software.

Coverity claims to have analysed 14,000 commercial and 5,100 open-source software projects, coded in C, C++, Java and C#, analysing more than 10 billion lines of code.

In terms of software defects uncovered by Coverity's automated tools, of 500 million lines of code in 2,650 open source projects, the company claimed a defect density of 0.61. That compared to an overall defect density of 0.76 found in 9.1 billion lines of code analysed in 8,776 commercial software packages. Furthermore, the company claims that software defects have declined, year on year.

The company also claims that security issues are dealt with more quickly by commercial software than open-source projects.

"Even though both the commercial projects and the open-source projects had the same average time of six months of being able to fix issues, we have observed the trend that commercial software is tackling these security vulnerabilities at a relatively faster pace than compared to open-source software," claimed the report.

At the same time, though, both forms of software development are improving both their reliability and security.

"If we look at the static analysis defect density data from this report, what we generally see is that both open source and commercial software are getting better all the time. It's also clear that open source and commercial software are advancing in different ways.