The latest attempt to answer this query comes from the code scanning vendor Veracode.

The Veracode study found that in aggregate 58% of all applications which they scanned did not have an acceptable security score – that means there was some risk.

39% of Open Source applications and 38% of commercial applications did have an acceptable score according to Veracode when mapped against the CWE/SANS Top 25 Most Dangerous Programming Errors.

That’s not so impressive to me…

…What was impressive however, from my perspective, was the remediation time:

“Open Source project teams remediated security vulnerabilities faster than all other users of Veracode’s application risk management services platform…Open Source applications took only 36 days from first submission to reach an acceptable security score, compared to 48 days for Internally Developed applications and 82 days for Commercial applications.”

Veracode also noted that open source software had fewer backdoors with less than 1% across scanned applications in the study. The ‘many eyes’ of open source transparency is most likely the number one reason why there are not more backdoors in open source code.

I have seen and reported on other studies over the years showing differing levels of open source code quality but the time to remediation is often a statistic, where open source really stands alone. The fact of the matter is that all software has bugs, with many eyes or not. It is what developers do once something is found and how fast those issues are fixed, which, in my estimation is the truest test of software code resilience and quality.