Open-source versus commercial software: better in different ways

Open-source software has been found to be of a higher quality than commercial code, continuing a trend from previous years, according to the Coverity Scan Open Source Report 2014.

Produced by Synopsys, the report is based on an analysis of over 10 billion lines of code from more than 2500 open-source projects which were compared against an anonymous sample of commercial projects.

The report found that open-source projects are getting better year on year at addressing defects, while commercial software does an increasingly good job of complying with security standards such as the Open Web Application Security Project (OWASP) Top 10 and CWE-25.

This represents improvement in both camps but in different ways, Synopsys said.

Open source software has a considerably lower defect rate than commercial software, according to Synopsys. Both improved from 2013 to 2014, but open source defects fell from 0.66 defects per 1000 lines of code in 2013 to 0.61 in 2014, while commercial code defects only saw a slight decline from 0.77 to 0.76.

However, commercial software is more compliant with OWASP Top 10 than open-source software by a wide margin. Per 100,000 lines of code, open-source software averaged 8.61 OWASP Top 10 defects compared to 0.56 for commercial software.

“Looking at our Java defect density data through the lens of OWASP Top 10, we observe that commercial software is significantly more secure than open source software. It is important to note that even though both the commercial projects and the open source projects had the same average time of 6 months of being able to fix issues, we have observed the trend that commercial software is tackling these security vulnerabilities at a relatively faster pace than compared to open source software, which might indicate commercial software projects are driven by compliance and policy to resolve defects in this category,” the report stated.

And it added: “If we look at recent security issues in commercial software, most of these development companies have compliance teams that enforce standards, but we still see serious vulnerabilities on an almost weekly basis. The industry needs to balance security with development speed, especially as more software projects move to agile methodology and time to market becomes more important than ever before.”

Initiated in 2006 with the US Department of Homeland Security, the Coverity Scan service began as a joint public-private sector research project, focused on improving open-source software quality and security. Synopsys now manages the Coverity Scan Service project, providing its development testing technology as a free service to the open source community.