Abstract
Software selection is an important consideration in risk management for information security. Additionally, the underlying robustness and security of a technology under consideration has become increasingly important in total cost of ownership and other calculations of business value. Open source software is often touted as being robust to many of the problems that seem to plague so-called “proprietary†or non-open source software. This study seeks to empirically investigate, from an information security perspective specific security characteristics of open source software compared to those of proprietary software. Software vulnerability data spanning several years were collected and analyzed to determine if significant differences exist in terms of inter-arrival times of published vulnerabilities, median time to release ‘fixes’ (commonly referred to as patches), type of vulnerability reported and the respective severity of the vulnerabilities. It appears that both open source and proprietary software are each likely to report similar vulnerabilities and that open source software is quicker in releasing patches for problems identified in their software. However, comparisons of yearly statistics reveal improvements in the performance of proprietary software companies. This suggests that they are quickly realizing the competition presented by the open source software community.