CIOZone.com - Professional Network for CIOs and IT Professionals

I’m usually a bit leery about placing too much weight on research studies that are conducted or paid for by vendors. After all, they’re not likely to report any findings which reflect poorly on them or their area of focus, right?

But a recent study from Coverity on the integrity of open source software code caught my attention for a few reasons. In The 2009 Coverity Scan Open Source Report, the San Francisco-based provider of software integrity tools and services analyzed more than 11 billion lines of open source software code from 280 open source projects over the past three years from code that was submitted by various developers. It seems like a fairly comprehensive and objective approach towards analyzing the defect rates and quality of open source code across a range of open source platforms, including PHP, Firefox, Ruby, Linux and Samba.

The study concluded that the so-called ‘defect density’ for these open source projects dropped 16% over the past three years. Static analysis defect density is defined as the number of defects detected by Coverity’s Prevent tool per thousand lines of code in a specific project or set of projects. The study also found that open source software is becoming more secure. That’s good news for CIOs who are increasingly testing out and using open source systems, particularly in light of the latest set of security patches issued by Adobe and Microsoft earlier this month.

For its part, Adobe issued 29 patches for vulnerabilities detected in its Adobe Reader and Acrobat PDF applications. Meanwhile, Microsoft released a record 34 security patches for holes in Windows Vista, XP, Windows 2000 and even Windows 7  before it goes on sale to consumers beginning Oct. 22.

As any CIO or CTO will tell you, patch management is a huge time sink, a dreaded but compulsory exercise.

Previous studies have indicated that open source code can sometimes be less buggy than more traditional commercial code. For instance, a Feb. 2005 story posted on internetnews.com cites a 2004 study which determined that the MySQL open source database had one-sixth the defect rate of comparable proprietary databases.

CIOs, project sponsors and technical teams will continue to select the software that best meets their organizational requirements, whether that’s open source, closed source or homegrown. But with open source becoming more mature, reliable and secure, it’s heartening for IT leaders to know that they have more viable options available to them from yet another channel.

Comments (1)

	1. 10-27-2009 19:35
	This is the kind of news CIOs need to hear to give them more comfort to move forward with open source deployments.    I recall that Coverity conducted a similar study earlier in the year in conjunction with Stanford University. At that time it found an average defect rate for open source applications of 0.434 bugs per 1,000 lines of code, which compared to an average defect rate of 20 to 30 bugs per 1,000 lines of code for commercial software. Of course, the question that raises is, why are open source developers able to maintain better quality than the commercial folks? Registered

Mel Duvall

Only registered users can write comments.
Please login or register.