The Continuing Open Source Security Debate

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It's almost funny how nearly every other week there's a new study on the security of open source software, or the lack thereof. A new report sponsored by Fortify Software says open source is not secure and governments and others who rely on it should do so with caution.


According to PC Pro, the study found serious security flaws in the projects it scanned and also uncovered that those flaws "persisted across product releases." The story also quotes the Fortify report as follows:

"[O]pen source development seems resistant to information on security."

But unless I'm mistaken, Google's oCert was created to help ensure that where flaws are found, someone knows about them so they can be fixed. And Fortify competitor Coverity is working with the Department of Homeland Security and others to scan open source projects for flaws so that the project creators can make sure they're fixed. Coverity released the 2008 report from its scan not too long ago.


What's more, every open source project Web page I've ever seen has a mechanism for reporting and fixing bugs and vulnerabilities. If they weren't interested in security information, would such mechanisms even exist? And let's not forget that this secure-not secure debate has been going on for years. Each side supports its own studies and reports its own findings. So the answer to who wins depends upon whom you ask.