research-article

Free access

Is open source security a myth?

Author:

Guido SchryenAuthors Info & Claims

Communications of the ACM, Volume 54, Issue 5

Pages 130 - 140

https://doi.org/10.1145/1941487.1941516

Published: 01 May 2011 Publication History

All formats PDF

Abstract

What does vulnerability and patch data say?

References

[1]

Alhazmi, O., Malaiya, Y., Ray, I. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security 26, 3 (2007) 219--228.

Digital Library

Google Scholar

[2]

Anderson, R. Open and closed systems are equivalent (that is, in an ideal world). Perspectives on Free and Open Source Software. J. Feller, B. Fitzgerald, S.A. Hissam, and K.R. Lakhani (eds). MIT Press, Cambridge, MA, 2005, 127--142.

Google Scholar

[3]

Anderson, R. Why information security is hard---An economic perspective. In Proceedings of the 17^th Computer Security Applications Conference, (New Orleans, LA, Dec. 10-14, 2001), 358--365.

Digital Library

Google Scholar

[4]

Anderson, R. and Moore, T. Information security economics---and beyond. Information Security Summit 2008; http://www.cl.cam.ac.uk/~rja14/Papers/econ_czech.pdf.

Digital Library

Google Scholar

[5]

Arbaugh, W.A., Fithen, W.L. and McHugh, J. Windows of vulnerability: A case study analysis. IEEE Computer 33, 12 (2000), 52--59.

Digital Library

Google Scholar

[6]

Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C. and Shostack, A. Timing the application of security patches for optimal uptime. In Proceedings of 16^th Systems Administration Conference, (Berkeley, CA, 2002), USENIX Association, 233--242.

Digital Library

Google Scholar

[7]

Böhme, R. Vulnerability markets. What is the economic value of a zero-day exploit? In Proceedings of 22^nd Chaos Communication Congress, (Berlin, Germany, Dec. 27--30, 2005).

Google Scholar

[8]

Free Software Foundation (FSF). The free software definition; http://www.fsf.org/licensing/essays/free-sw.html, 2007.

Google Scholar

[9]

Frei, S., May, M., Fiedler, U. and Plattner, B. Large-scale vulnerability analysis. In Proceedings of the ACM SIGCOMM 2006 Workshop, (Nov. 11, 2006, Pisa, Italy).

Digital Library

Google Scholar

[10]

Gopalakrishna, R. and Spafford, E. H. A trend analysis of vulnerabilities. Technical Report 2005-05, CERIAS, Purdue University, May 2005.

Google Scholar

[11]

Levy, E. Wide open source; http://www.securityfocus.com/news/19, 2000.

Google Scholar

[12]

MITRE. Common vulnerabilities and exposures; http://cve.mitre.org, 2009.

Google Scholar

[13]

Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A. Predicting vulnerable software components. In Proceedings of the 14^th ACM Conference on Computer and Communications Security (CCS 2007), (Alexandria, VA, Oct. 2007), 529--540.

Digital Library

Google Scholar

[14]

NIST. National Vulnerability Database; http://nvd.nist.gov, 2009.

Google Scholar

[15]

Open Source Initiative (OSI). The Open Source Definition; http://www.opensource.org/docs/osd, 2006.

Google Scholar

[16]

Ozment, A. Improving vulnerability discovery models: Problems with definitions and assumptions. In Proceedings of the 3^rd Workshop on Quality of Protection, (Alexandria, VA, Oc. 29, 2007).

Digital Library

Google Scholar

[17]

Ozment, A. The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In Proceedings of the 4th Workshop on the Economics of Information Security, (Harvard University, June 2-3, 2005, Cambridge, MA), 1--21.

Google Scholar

[18]

Ozment, A. and Schechter, S.E. Milk or wine: Does software security improve with age? In Proceedings of the 15^th Conference on USENIX Security Symposium, (Vancouver, B.C., July 31-Aug. 4, 2006).

Digital Library

Google Scholar

[19]

Payne, C. On the security of open source software. Information Systems Journal 12, 1 (2002), 61--78.

Crossref

Google Scholar

[20]

Raymond, E.S. The Cathedral and the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary. O'Reilly, Beijing, China, 2001.

Digital Library

Google Scholar

[21]

Rescorla, E. Is finding security holes a good idea? In Proceedings of the 3^rd Annual Workshop on Economics and Information Security, (University of Minnesota, May 13--14, 2004).

Google Scholar

[22]

Radianti, J., Rich, E. and Gonzalez, J.J. Vulnerability black markets: Empirical evidence and scenario simulation. In Proceedings of the 42^nd Hawaii International Conference on System Sciences, (Big Island, Hawaii, Jan. 5--8, 2009).

Digital Library

Google Scholar

[23]

US-CERT. Vulnerability notes database field descriptions (2009); http://www.kb.cert.org/vuls/html/fieldhelp/

Google Scholar

[24]

Woo, S.-W., Alhazmi, O.H. and Malaiya, Y. K. An analysis of the vulnerability discovery process in Web browsers. In Proceedings of the 10^th International Conference on Software Engineering and Applications, (Dallas, TX, Nov. 13--15, 2006).

Google Scholar

[25]

Woo, S.-W., Alhazmi, O. H. and Malaiya, Y. K. Assessing vulnerabilities in Apache and IIS HTTP servers. In Proceedings of the 2^nd International Symposium on Dependable, Autonomic and Secure Computing, (Indianapolis, IN, Sept. 29-Oct. 1, 2006), 103--110.

Digital Library

Google Scholar

Cited By

View all

Hommersom DSabetta ACoppola BNucci DTamburri D(2024)Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source RepositoriesACM Transactions on Software Engineering and Methodology10.1145/364959033:5(1-28)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649590
Bommasani RKapoor SKlyman KLongpre SRamaswami AZhang DSchaake MHo DNarayanan ALiang P(2024)Considerations for governing open foundation modelsScience10.1126/science.adp1848386:6718(151-153)Online publication date: 11-Oct-2024
https://doi.org/10.1126/science.adp1848
Lo F(2024)The paradoxical transparency of opaque machine learningAI & Society10.1007/s00146-022-01616-739:3(1397-1409)Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1007/s00146-022-01616-7
Show More Cited By

Index Terms

Is open source security a myth?

Recommendations

Open source vs. closed source software: towards measuring security
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

The increasing availability and deployment of open source software in personal and commercial environments makes open source software highly appealing for hackers, and others who are interested in exploiting software vulnerabilities. This deployment has ...
Open Source Security: Opportunity or Oxymoron?

As the computer industry focuses on system and network security, a growing number of users are taking a closer look at open source software in order to gauge whether its potential advantages outweigh its possible disadvantages. Although open source ...
Open source software licenses: Strong-copyleft, non-copyleft, or somewhere in between?

Studies on open source software (OSS) have shown that the license under which an OSS is released has an impact on the success or failure of the software. In this paper, we model the relationship between an OSS developer's utility, the effort that goes ...

Comments

Information & Contributors

Information

Published In

Communications of the ACM Volume 54, Issue 5

May 2011

134 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/1941487

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 May 2011

Published in CACM Volume 54, Issue 5

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Popular
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
4,642
Total Downloads

Downloads (Last 12 months)666
Downloads (Last 6 weeks)96

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Hommersom DSabetta ACoppola BNucci DTamburri D(2024)Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source RepositoriesACM Transactions on Software Engineering and Methodology10.1145/364959033:5(1-28)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649590
Bommasani RKapoor SKlyman KLongpre SRamaswami AZhang DSchaake MHo DNarayanan ALiang P(2024)Considerations for governing open foundation modelsScience10.1126/science.adp1848386:6718(151-153)Online publication date: 11-Oct-2024
https://doi.org/10.1126/science.adp1848
Lo F(2024)The paradoxical transparency of opaque machine learningAI & Society10.1007/s00146-022-01616-739:3(1397-1409)Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1007/s00146-022-01616-7
Schlatt VGuggenberger TSchmid JUrbach N(2023)Attacking the trust machineInternational Journal of Information Management: The Journal for Information Professionals10.1016/j.ijinfomgt.2022.10247068:COnline publication date: 1-Feb-2023
https://dl.acm.org/doi/10.1016/j.ijinfomgt.2022.102470
Balsa ENissenbaum HPark SWeitzner DFeigenbaum JYoo C(2022)Cryptography, Trust and Privacy: It's ComplicatedProceedings of the 2022 Symposium on Computer Science and Law10.1145/3511265.3550443(167-179)Online publication date: 1-Nov-2022
https://dl.acm.org/doi/10.1145/3511265.3550443
Chan NChandy J(2022)Extracting Vulnerabilities from GitHub Commits2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER53432.2022.00038(235-239)Online publication date: Mar-2022
https://doi.org/10.1109/SANER53432.2022.00038
Wanger JCullen TDunbar EFlowers J(2022)Open-Source Software for Public Health: Opportunities and ApproachesSexually Transmitted Diseases10.1097/OLQ.000000000000168950:8S(S31-S33)Online publication date: 10-Aug-2022
https://doi.org/10.1097/OLQ.0000000000001689
Yasasin EPrester JWagner GSchryen G(2020)Forecasting IT security vulnerabilities – An empirical analysisComputers and Security10.1016/j.cose.2019.10161088:COnline publication date: 1-Jan-2020
https://dl.acm.org/doi/10.1016/j.cose.2019.101610
Hils MBöhme R(2020)Watching the Weak Link into Your Home: An Inspection and Monitoring Toolkit for TR-069Applied Cryptography and Network Security10.1007/978-3-030-57878-7_12(233-253)Online publication date: 19-Oct-2020
https://dl.acm.org/doi/10.1007/978-3-030-57878-7_12
Favato DIshitani DOliveira JFigueiredo EAlbuquerque Ade Paula Barros A(2019)Linus's LawProceedings of the XVIII Brazilian Symposium on Software Quality10.1145/3364641.3364650(69-78)Online publication date: 28-Oct-2019
https://dl.acm.org/doi/10.1145/3364641.3364650
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Magazine Site

View this article on the magazine site (external)

Magazine Site

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

Open source vs. closed source software: towards measuring security

Open Source Security: Opportunity or Oxymoron?

Open source software licenses: Strong-copyleft, non-copyleft, or somewhere in between?

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Magazine Site

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations