Vulnerabilities and Risk Management of Open Source Software: An Empirical Study

Get BibTex-formatted data

Download

PDF

Author

J Rees, K Altinkemer, S Sridhar

Tech report number

CERIAS TR 2006-75

Entry type

article

Abstract

Software selection is an important consideration in risk management for information security. Additionally, the underlying robustness and security of a technology under consideration has become increasingly important in total cost of ownership and other calculations of business value. Open source software is often touted as being robust to many of the problems that seem to plague so-called â€œproprietaryâ€ or non-open source software. This study seeks to empirically investigate, from an information security perspective specific security characteristics of open source software compared to those of proprietary software. Software vulnerability data spanning several years were collected and analyzed to determine if significant differences exist in terms of inter-arrival times of published vulnerabilities, median time to release â€˜fixesâ€™ (commonly referred to as patches), type of vulnerability reported and the respective severity of the vulnerabilities. It appears that both open source and proprietary software are each likely to report similar vulnerabilities and that open source software is quicker in releasing patches for problems identified in their software. However, comparisons of yearly statistics reveal improvements in the performance of proprietary software companies. This suggests that they are quickly realizing the competition presented by the open source software community.

Download

PDF

Date

2007

URL

http://www.business.uiuc.edu/m ... ceVulnerabilities_v14.doc

Journal

Journal of Information Systems Security

Key alpha

Rees

Publication Date

2007-00-00

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Article{ Rees,
	title = "Vulnerabilities and Risk Management of Open Source Software: An Empirical Study",
	author = "J Rees, K Altinkemer, S Sridhar ",
	year = "2007",
	journal = "Journal of Information Systems Security",
	abstract = "Software selection is an important consideration in risk management for information security. Additionally, the underlying robustness and security of a technology under consideration has become increasingly important in total cost of ownership and other calculations of business value. Open source software is often touted as being robust to many of the problems that seem to plague so-called â€œproprietaryâ€ or non-open source software. This study seeks to empirically investigate, from an information security perspective specific security characteristics of open source software compared to those of proprietary software. Software vulnerability data spanning several years were collected and analyzed to determine if significant differences exist in terms of inter-arrival times of published vulnerabilities, median time to release â€˜fixesâ€™ (commonly referred to as patches), type of vulnerability reported and the respective severity of the vulnerabilities. It appears that both open source and proprietary software are each likely to report similar vulnerabilities and that open source software is quicker in releasing patches for problems identified in their software. However, comparisons of yearly statistics reveal improvements in the performance of proprietary software companies. This suggests that they are quickly realizing the competition presented by the open source software community.",
	url = "http://www.business.uiuc.edu/mxia/mis/rees_OpenSourceVulnerabilities_v14.doc",
}