Is open source security a myth?

@article{Schryen2011IsOS,
  title={Is open source security a myth?},
  author={Guido Schryen},
  journal={Communications of the ACM},
  year={2011},
  volume={54},
  pages={130 - 140}
}
  • G. Schryen
  • Published 1 May 2011
  • Computer Science
  • Communications of the ACM
What does vulnerability and patch data say? 

Figures and Tables from this paper

Security assessment of open source third-parties applications
TLDR
An automatic screening test for quickly identifying the versions of FOSS components likely affected by newly disclosed vulnerabilities: a novel method that scans across the entire repository of a FOSS component in a matter of minutes and shows that the screening test scales to large open source projects.
Beware of the Vulnerability! How Vulnerable are GitHub's Most Popular PHP Applications?
TLDR
This study analyzed the top 100 open source PHP applications in GitHub using a static analysis vulnerability scanner to examine how common software vulnerabilities are and found that 27% of these projects are insecure, with a median number of 3 vulnerabilities per vulnerable project.
Challenges to Cybersecurity: Current State of Affairs
  • Ravi Sen
  • Computer Science
    Commun. Assoc. Inf. Syst.
  • 2018
TLDR
The technical, economic, legal, and behavioral challenges that continue to obstruct any meaningful effort to achieve reasonable cybersecurity are identified.
A proposed framework for proactive vulnerability assessments in cloud deployments
  • K. Torkura, Feng Cheng, C. Meinel
  • Computer Science
    2015 10th International Conference for Internet Technology and Secured Transactions (ICITST)
  • 2015
TLDR
A framework is proposed that would mitigate risks resulting from long time lags between OpenStack patch releases and patch inclusion in vulnerability scanning engines by gathering and correlating information from several security information sources including exploit databases, malware signature repositories and Bug Tracking Systems.
Aggregating Vulnerability Information for Proactive Cloud Vulnerability Assessment
TLDR
This work proposes a framework that would mitigate the afore-mentioned risks by gathering and correlating information from several security information sources including exploit databases, malware signature repositories, Bug Tracking Systems and other channels, and characterized two new security metrics to describe the discovered risks.
On the Security Cost of Using a Free and Open Source Component in a Proprietary Product
The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software FOSS components within a proprietary software supply chain of a
Analyses of Two End-User Software Vulnerability Exposure Metrics
TLDR
Two new security metrics are proposed, average active vulnerabilities (AAV) and vulnerability free days (VFD), which capture both the speed with which new vulnerabilities are reported to vendors and the rate at which software vendors fix them.
How does the offense-defense balance scale?
TLDR
This work offers a general formalization of the offense-defense balance in terms of contest success functions, meaning how it changes as investments into a conflict increase, and refers to this phenomenon as offensive-then-defensive scaling or OD-scaling.
Assessing Web Browser Secur ity Vulnerabilities with respect to CVSS
Since security vulnerabilities newly discovered in a popular Web browser immediately put a number of users at risk, urgent attention from developers is required to address those vulnerabilities.
The public health analogy in Web security
TLDR
This thesis proposes a novel interpretation of the public health analogy, which focuses on the notions of efficacy and rights, so that these guidelines can continue to be used in the context of the major stakeholders who could intervene in the drive-by download process, and concludes that hosting providers are best placed to intervene to make a difference.
...
...

References

SHOWING 1-10 OF 31 REFERENCES
Vulnerability Markets What is the economic value of a zero-day exploit ?
TLDR
This essay introduces into the economic perspective on computer security and discusses the advantages and drawbacks of different concepts for vulnerability markets, where security-related information can be traded.
Is finding security holes a good idea?
TLDR
The analysis in this article represents the best-case scenario, consistent with the data and my ability to analyze it, for the vulnerability finding's usefulness.
Timing the Application of Security Patches for Optimal Uptime
TLDR
A model is presented that will help provide a formal foundation for when the practitioner should apply security updates, providing both mathematical models of the factors affecting when to patch and collecting empirical data to give the model practical value.
Why information security is hard - an economic perspective
  • Ross J. Anderson
  • Computer Science
    Seventeenth Annual Computer Security Applications Conference
  • 2001
TLDR
The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures.
Improving Vulnerability Discovery Models Problems with De fi nitions and Assumptions
TLDR
A standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process is proposed, and the theoretical requirements of VDMs are described, to highlight the shortcomings of existing work.
Improving vulnerability discovery models
TLDR
A standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process is proposed, and the theoretical requirements of VDMs are described, to highlight the shortcomings of existing work.
Windows of Vulnerability: A Case Study Analysis
TLDR
A life cycle model for system vulnerabilities is proposed, then applied to three case studies to reveal how systems often remain vulnerable long after security fixes are available.
Vulnerability Black Markets: Empirical Evidence and Scenario Simulation
TLDR
If legal markets expose vulnerabilities that go unresolved, the security and quality of software may suffer more than in the absence of a legal market, and the problem scope expands beyond vulnerability trading to one that requires active participation and reaction by software vendors.
Large-scale vulnerability analysis
TLDR
This paper examines how vulnerabilities are handled in large-scale, analyzing more than 80,000 security advisories published since 1995 and quantifies the performance of the security industry as a whole.
On the security of open source software
TLDR
Evaluating the suitability of open source software with respect to one of the key attributes that tomorrow's Internet will require, namely security represents preliminary quantitative evidence concerning the security issues surrounding the use and development ofopen source software, in particular relative to traditional proprietary software.
...
...