New study says OSS exploited earlier, more often

But the writer cautions against concluding that open source software is less secure; it's more complicated than that.

An analysis being presented this week says open source software is exploited faster and more effectively than proprietary solutions.

Even so, the author of the study, Sam Ransbotham of Boston College, stops short of saying open source is less secure than proprietary software, for a variety of reasons:

• More vulnerabilities tend to be caught pre-release in open-source software, so there are fewer opportunities for exploitation.

"... it would be incorrect to conclude that open source is strictly worse for software security. The benefits from open source remain at the pre-release stage. Although these are difficult to quantify, it is likely that the benets of open source outweigh the negative effects in the exploitation stage."

• The types of vulnerabilities may be of differing importance. Ransbotham said it was possible the vulnerabilities found in open source were "shallower" and less important than those in proprietary software.The Ninth Workshop on the Economics of Information Security at Harvard University. It's filled with statistics and graphs and methodology, but basically it came down to this, according to the MIT Technology Review: "attacks on vulnerabilities in open-source software occurred three days sooner and with nearly 50 percent greater frequency." majority of the vulnerabilities, however, were in closed-source software: 67 of the 97 examined in Ransbotham's paper. Immunity security firm CTO David Aitel told MIT's publication that it may be that those smaller number of vulnerabilities are attacked more often, but may be less important - drawing attention away from, maybe, more important systems running proprietary software for more serious all 25 pages of it as a PDF. Let me know if I missed something important in here; I'm sure I did. I'd love to hear your thoughts and analysis.

• Intangibles in the different types of software - not proprietary vs open source, but rather what the software does - that make some vulnerabilities easier to exploit than others.

• Just as the code being open source can make it easier for those who exploit the vulnerabilities, it can make the job easier for those who would patch them.

Ransbotham is presenting his paper tomorrow at

He used data from 2006 and 2007 from the National Vulnerabilities Database. Of the more than 13,000 software products with vulnerabilities listed, he could confirm the type of license for only about half. The rest, he said, were likely not very well-known and hardly used and so shouldn't skew the results. Of those for which licenses were found, 3,369 were open source and 3,121 proprietary. He also used data from intrusion detection system logs from 960 clients of security provider SecureWorks.

Among the problems Ransbotham sees with open-source software is that the patches also are open-source and so the hackers can more easily figure out how to exploit the patch. Even so, the faster patches are put out, the more hackers are likely to move on to other targets, he says. So open source could be attacked earlier, but also abandoned as a target faster.

He also sees the use of open-source elements in other systems and programs - both open and proprietary - as creating more of a problem in disseminating the patches. He does point out, however, that closed-source software also can be reused in other components and so there can be problems in the dissemination on that scale, too.


I know many of you will have lots to say about the results of Ransbotham's paper - you can

But remember: I'm just the messenger.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.