Vulnerabilities and Risk Management of Open Source Software: An Empirical Study

Software selection is an important consideration in risk management for information security. Additionally, the underlying robustness and security of a technology under consideration has become increasingly important in total cost of ownership and other calculations of business value. Open source software is often touted as being robust to many of the problems that seem to plague proprietary software. This study seeks to empirically investigate, from an information security perspective specific security characteristics of open source software compared to those of proprietary software. Software vulnerability data spanning several years are collected and analyzed to determine if significant differences exist in terms of inter-arrival times of published vulnerabilities, median time to release ‘fixes’ (commonly referred to as patches), type of vulnerability reported and the respective severity of the vulnerabilities. It appears that both open source and proprietary software are each likely to report similar vulnerabilities and that open source software is only marginally quicker in releasing patches for problems identified in their software. The arguments favoring the inherent security of open source software do not appear to hold up to scrutiny. These findings provide evidence to security managers to focus more on holistic software security management, irrespective of the proprietary-nature of the underlying software.