[SC-L] Economics of Software Vulnerabilities
Steven M. Christey
coley at linus.mitre.org
Wed Mar 21 12:53:00 EST 2007
On Tue, 20 Mar 2007, Wall, Kevin wrote:
> With rare exceptions, in general, I do not find that the
> open source community is that much more security consciousness
> than those producing closed source. Certainly this seems true
> if measured in terms of vulnerabilities and we measure "across
> the board" (e.g., take a random sampling from SourceForge) and
> not just our favorite security-related applications.
Indeed, CVE and any other refined vulnerability information source is
chock full of open source products on SourceForge that have the most
obvious security holes possible, and let's not forget the open source
products that have gotten a bad reputation such as PHP-Nuke and Sendmail.
Insecure programming is universal.
> Where I _do_ see a remarkable difference is that the open source
> community seems to be in general much faster in getting security
> patches out once they are informed of a vulnerability.
Seems to, yes, based on statistics of publicly reported vulns.
Unfortunately I can't remember the studies at the moment :(
- Steve
More information about the SC-L
mailing list