While Ross J. Anderson (2008) notes that commercial deadlines can impact the quality of the source produced even by skilled software developers, the argument is counteracted by Craig Mundie, CTO Microsoft that in the current market the software vendors are under pressure to develop a quality software as “more and more customers view security as a key decision factor” (Berni Dwan, 2004). But statistical information available on National Vulnerability Database (2012) tend to agree with Ross J. Anderson showing a steady growth of vulnerabilities discovered in Microsoft Windows. According to National Vulnerability Database (2012), Microsoft Windows had 17 vulnerabilities discovered in 2007, 34 in 2008, 47 in 2009, 166 in 2010 and 197 in 2011.
Schryen, G (2011) uses two additional factors, Mean Time Between Vulnerability Disclosures (MTBVD) and (UN)Patching Behavior, to compare the security of open source versus non-open source system components. According to collected data, in most cases the vulnerabilities discovered within open source products are fixed by a degree quicker than equivalent non-open source counterparts. Moreover, the research demonstrates that, again in most cases, the open source products aim to close majority of identified vulnerabilities while non-open source adopt a more prioritized approach whereby “there is a strong bias toward patching severe vulnerabilities” (Schryen, G, 2011). As a result, 66.22% of Microsoft Internet Explorer 7 vulnerabilities remain unpatched compare to 20.36% of Mozilla Firefox 2. The same results are reflect the status of E-mail clients whereby Microsoft Outlook Express 6 has 65.22% unpatched vulnerabilities compare to 5.45% for Mozilla Thunderbird 1.
Anderson J. Ross (2008) also points out the differences between the target market of open source products and non-open source products, “that the users of open products such as GNU/Linux and Apache are more motivated to report system problems effectively, and it may be easier to do so, compared with Windows users who respond to a crash by rebooting and would not know how to report a bug if they wanted to” (Anderson J. Ross, 2008). This, in turn, can further skew the published vulnerabilities statistic.
While the numbers may suggest that the open source solutions are more secure, “open and closed approaches to security are pretty much equivalent, making source code publicly available helps attackers and defenders alike” (Berni Dwan, 2004) allowing each party to evaluate the most effective and sophisticated attack methods.
- Berni Dwan 2004, 'Open source vs closed', Network Security, Volume 2004, Issue 5, May 2004, Pages 11-13, EBSCOhost, viewed 21 April 2012.
- Mark Willoughby, 2005. “Q&A: Quality software means more secure software” [online]. Computer World. Available from: http://www.computerworld.com/s/article/91316/Q_A_Quality_software_means_more_secure_software (accessed. April 21, 2012).
- National Vulnerability Database (NVD), 2012. “Statistics Results Page” [online]. Available from: http://goo.gl/RGRy9 (accessed: April 21, 2012)
- Schryen, G 2011, 'Is Open Source Security a Myth?', Communications Of The ACM, 54, 5, pp. 130-140, Business Source Premier, EBSCOhost, viewed 21 April 2012.
- Steve, M 2008, 'Open Source: Open source: does transparency lead to security?', Computer Fraud & Security, 2008, pp. 11-13, ScienceDirect, EBSCOhost, viewed 21 April 2012.
- Ross J. Anderson, 2008. “A Guide to Building Dependable Distributed Systems”. 2nd Edition. Wiley Publishing.