Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Open source code contains fewer defects, but there's a catch

Paul Rubens | Nov. 19, 2014
Research suggests that software developed using open source code contains fewer defects than that built with proprietary code. The catch is that open source code rarely benefits from security teams specifically tasked with looking for bugs.

C++ Java PHP .Net Python JavaScript code digital
Credit: Thinkstock

Open source code is lower quality than proprietary code. At least, that's how many people now perceive it.

Until this year, you could make a persuasive argument that defects in freely available source code are more likely to be spotted and fixed promptly than defects in proprietary software. Then along came Goto Fail, Heartbleed, Shellshock and Poodle. These four high-profile bugs in open source software weren't detected and fixed for years, in some cases, despite the code having been freely available for anyone to inspect.

That's been enough to put a question mark back in many people's minds about the way that open source software is developed -- and whether it's enough to count on someone, somewhere, analyzing the code and spotting defects. There's a risk that everyone assumes someone else analyzes the code when, in fact, no one with the necessary skills is actually doing so. This calls into question the wisdom of adopting open source software in the enterprise at all.

But proprietary software frequently contains defects, including security vulnerabilities. Is there any real evidence to suggest that open source code is better or worse than its closed source counterpart?

The annual Coverity scan report provides one source of objective information about the amount of code defects in open source and proprietary software. The report analyzes the levels of defects found in software developed using the two different models, which it runs though its static analysis system.

It's important to bear in mind that the scan report only includes software that's submitted for scanning; in a sense, this is a self-selected sample. That said, it turns out that the defect density -- the number of bugs per 1,000 lines of code -- of open source and proprietary software are broadly similar.

In fact, the most recent report (2013) found open source software written in C and C++ to have a lower defect density than proprietary code. The average defect density across projects of all sizes was 0.59 for open source, and 0.72 for proprietary software.

Applications with few lines of code had, in general, lower defect densities than larger ones, although large apps with more than 1 million lines of code actually had a lower density than some medium-sized apps.

Open Source Code May Be Secure, But Fewer Teams Protect It
That seems to give open source software an endorsement as far as code quality is concerned. When it comes to security bugs specifically, though, many open source projects take inadequate steps to prevent them, according to Zack Samocha, Coverity's senior director of products.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.