Business Week Online
Insecurity in Open Source What open-source developers can learn about security and quality from—gasp—makers of proprietary software
OCTOBER 6, 2006
Viewpoint By Ben Chelf
Debates over what methods result in the best software often pit those who favor an open-source approach against proponents of proprietary, or closed-source, development. Conventional wisdom holds that open-source software should have fewer security flaws than proprietary software. With more eyes able to look at the underlying source code, bugs should be found and squashed much faster.
But when software security and quality really matter—like crossing the Atlantic on a jet airliner—trust me, you want to fly proprietary.
That conclusion is based on my company's involvement in testing of software security and quality. Working with the Homeland Security Dept. and Stanford University, my firm, Coverity, has closely analyzed 50 of the most popular open-source software projects, scanning more than 20 million lines of code daily. We publish those results here on the Web.
BUG TO BUG COMPARISON. For the first time, we've compared those results with proprietary software from more than 100 different companies, including some of the best-known names in aerospace, financial services, software, and telecommunications—more than 60 million lines of code all together.
In our research using automatic bug-hunting technology, no open-source project we analyzed had fewer software defects (per thousand lines of code) than the top-of-the-line closed-source application. That proprietary code, written for an aerospace company, is better than the best in open source—more than five times better, in fact. That company's software won't let you down when you're flying from New York to London.
Of the more than 150 open-source and proprietary software applications that we have analyzed in this study, closed-source software code grabbed 11 of the top 15 spots for the highest quality and security.
Full at:
http://www.businessweek.com/technology/content/oct2006/tc20061006_394140.htm...
Sometime Today, Sujeet Bhatt assembled some asciibets to say:
But when software security and quality really matter?like crossing the Atlantic on a jet airliner?trust me, you want to fly proprietary.
Apples and oranges. It's important to compare like objects. One cannot hold a word processing application to the same stringent quality levels as an application responsible for people's lives. The quality of code in the latter case has nothing to do with it being open or closed. It has to do with the developer's committment to provide bug free code, and the stakeholder's committment to put resources into ensuring the same.
On 08/10/06 22:16 +0530, Philip Tellis wrote:
Sometime Today, Sujeet Bhatt assembled some asciibets to say:
But when software security and quality really matter?like crossing the Atlantic on a jet airliner?trust me, you want to fly proprietary.
Apples and oranges. It's important to compare like objects. One cannot hold a word processing application to the same stringent quality levels as an application responsible for people's lives. The quality of code
One can. One generally doesn't. "This word processor is certified to run on this hardware, running this specific set of programs (including versions) only. It will not support macros, or be user customisable. It also cost you only USD eleventy-billion." is not what most people want from their word processors.
in the latter case has nothing to do with it being open or closed. It has to do with the developer's committment to provide bug free code, and the stakeholder's committment to put resources into ensuring the same.
Mostly the stakeholder's commitment to put in time and money, and the ability to have a _very_ limited set of requirements. The average text editor is more complex than the software running the space shuttle.
Devdas Bhagat
On 10/8/06, Philip Tellis philip.tellis@gmx.net wrote:
Apples and oranges. It's important to compare like objects. One cannot hold a word processing application to the same stringent quality levels as an application responsible for people's lives. The quality of code in the latter case has nothing to do with it being open or closed. It has to do with the developer's committment to provide bug free code, and the stakeholder's committment to put resources into ensuring the same.
Completely agree. Still there are software bugs that fry people like Therac-25. [1].
-- Vinayak
[1] http://infotech.fanshawec.ca/gsantor/Computing/FamousBugs.htm
On 08-Oct-06, at 5:51 PM, Sujeet Bhatt wrote:
Of the more than 150 open-source and proprietary software applications that we have analyzed in this study, closed-source software code grabbed 11 of the top 15 spots for the highest quality and security.
how can they prove it? where is the code? I have gone through windows vista code and can state that there are no bugs.
On 09/10/06 10:33 +0530, Kenneth Gonsalves wrote: <snip>
how can they prove it? where is the code? I have gone through windows vista code and can state that there are no bugs.
Please do not contribute to any FOSS code where there is a Microsoft equivalent.
Though if you actually read that article, all the good stuff in the closed world is phenomenally expensive, and limited to specialist areas where human lives are at stake (if they weren't, the software would be cheap and buggy, because customers don't want to pay for quality code).
Devdas Bhagat
On Sunday 08 October 2006 17:51, Sujeet Bhatt wrote:
Business Week Online
Dont make me laugh. And dont waste your time reading anything from that mag. They are a M$ funded FUD shop. grep groklaw for the muddy funding disclosures. Picking results from unrelated and out of context studies is their trademark.
-
Devdas Bhagat -
jtd -
Kenneth Gonsalves -
Philip Tellis -
Sujeet Bhatt -
Vinayak Hegde