Commercial software 'significantly more secure' than open source software, says new report

Synopsys analysed billions of lines of code from more than 2,500 open source projects as well as code from commercial software.

It said that although commercial software contains more defects per 1,000 lines of code than open source software, the commercial software is "more in compliance" with software security standards such as the Open Web Application Security Project Top 10 and the Common Weakness Enumeration (CWE) 25 than open source software.

"Looking at our Java defect density data through the lens of OWASP Top 10, we observe that commercial software is significantly more secure than open source software," according to Synopsys' latest annual Coverity Scan Report. "It is important to note that even though both the commercial projects and the open source projects had the same average time of 6 months of being able to fix issues, we have observed the trend that commercial software is tackling these security vulnerabilities at a relatively faster pace than compared to open source software, which might indicate commercial software projects are driven by compliance and policy to resolve defects in this category."

According to the report, both open source and commercial software is "getting better all the time", but the greater security emphasis is with commercial software.

"Open source software is becoming more feature-rich, getting better compared to previous versions of itself," the report said. "What drives development work for open source projects is people needing the software to do certain things. Therefore, adding features takes precedence over bug fixing. Commercial software is becoming more stable and secure based on compliance standards. Commercial development is driven by competition and compliance to industry standards, which puts a higher priority on stability, security and bug fixing."