On the security of open source software

@article{Payne2002OnTS,
  title={On the security of open source software},
  author={Christian N. Payne},
  journal={Information Systems Journal},
  year={2002},
  volume={12}
}
Abstract With the rising popularity of so‐called ‘open source’ software there has been increasing interest in both its various benefits and disadvantages. In particular, despite its prominent use in providing many aspects of the Internet's basic infrastructure, many still question the suitability of such software for the commerce‐oriented Internet of the future. This paper evaluates the suitability of open source software with respect to one of the key attributes that tomorrow's Internet will… 

Open source vs. closed source software: towards measuring security

The state-of-the-art of the security debate is discussed, and new metrics are proposed, which allows to answer the question to what extent the review process of open source and closed source development has helped to fix vulnerabilities.

Increasing Software Security through Open Source or Closed Source Development? Empirics Suggest that We have Asked the Wrong Question

The results suggest that it is not the particular software development style that determines the severity of vulnerabilities and vendors' patching behavior, but rather the specific application type and the policy of the particular development community, respectively.

Security vulnerabilities in open source projects: An India perspective

This paper compares and analyses the public disclosure of vulnerabilities in Free and Open Source Software (FOSS) to those of non-open source systems and indicates an urgent need to enhance vulnerability handling practices for Free andopen source Software based applications.

To prevent them from entering, provide the keys

This paper states the arguments given by both Closed Source Software (CSS) editors and free software holders and proposes a strategy of security based on the heterogeneity of the computers owned by a company.

Modelling the Economics of Free and Open Source Software Security

A quantitative approach based on system dynamics to validate stated claims about F/OSS security and its economic aspects is proposed and an illustrative example supports belief in the validity of the system dynamics approach as a testing vehicle to explain observed phenomena and support or disprove argued hypotheses.

Industry-Wide Analysis of Open Source Security

The goal of this research is to analyzes the popularity of various OSS projects among various industries but also provides insights into the security vulnerabilities and their impact on various industries that consume those O SS projects.

A Comprehensive and Comparative Analysis of the Patching Behavior of Open Source and Closed Source Software Vendors

  • G. Schryen
  • Computer Science
    2009 Fifth International Conference on IT Security Incident Management and IT Forensics
  • 2009
The results of the analysis suggest that it is not the particular software development style that determines patching behavior, but rather the policy of the particular Software Vendor, including operating systems, database systems, web browsers, email clients, and office systems.

Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities

Analysis and comparing published vulnerabilities of eight open source software and nine closed source software packages provides an extensive empirical analysis of vulnerabilities in terms of mean time between vulnerability disclosures, the development of disclosure over time, and the severity of vulnerabilities.

Commercial software companies and open source community reaction to disclosed vulnerabilities: Case of Windows Server 2008 and Linux patching

Light is shed on the perception about the security divide between open source and closed software under study that is, although the commercial companies respond faster, however, not according to the severity of vulnerabilities disclosed.

The Application of DEA to Measure the Efficiency of Open Source Security Tool Production

The result of this research is a model that can be used by project developers to evaluate the relative efficiency of their projects, and determines the number of inefficient projects benchmarking each efficient project.
...

References

SHOWING 1-10 OF 31 REFERENCES

The Role of the Development Process in Operating System Security

The results not only show that a consideration of security at all phases of development leads to significantly more secure products, but also indicates the specific roles that each development phase plays in this process.

Security through design as a paradigm for systems development

Examination of the influence that the development approach, as viewed from a "waterfall" model perspective, has upon the effective security of the final system showed that systems which considered security at every phase of the development process demonstrated markedly better degrees of security.

INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD

This document is intended to extend the scope of the TCSEC so that the control objectives, contained therein, will also address the protection of information and computing resource integrity.

Security in computing

Practical UNIX and Internet Security

This book discusses computer security basics, network and Internet security, auditing, Logging, and Forensics, and the role of Unix in the modern deployment environment.

Kerberos: an authentication service for computer networks

The authors concentrate on authentication for real-time, interactive services that are offered on computer networks, which includes remote login, file system reads and writes, and information retrieval for applications like Mosaic.

SSH: secure login connections over the internet

SSH provides secure login, file transfer, X11, and TCP/IP connections over an untrusted network. It uses cryptographic authentication, automatic session encryption, and integrity protection for

Reflections on trusting trust

To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.