On Tue, 20 Mar 2007, Wall, Kevin wrote: > With rare exceptions, in general, I do not find that the > open source community is that much more security consciousness > than those producing closed source. Certainly this seems true > if measured in terms of vulnerabilities and we measure "across > the board" (e.g., take a random sampling from SourceForge) and > not just our favorite security-related applications.
Indeed, CVE and any other refined vulnerability information source is chock full of open source products on SourceForge that have the most obvious security holes possible, and let's not forget the open source products that have gotten a bad reputation such as PHP-Nuke and Sendmail. Insecure programming is universal. > Where I _do_ see a remarkable difference is that the open source > community seems to be in general much faster in getting security > patches out once they are informed of a vulnerability. Seems to, yes, based on statistics of publicly reported vulns. Unfortunately I can't remember the studies at the moment :( - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
