Does Open Source Code Increase Risk of Attacks based on Software Vulnerabilities?

For open source software, security attention frequently focuses on the discovery of vulnerabilities prior to release. The large number of diverse people who can view the source code may find vulnerabilities before the... [ view full abstract ]

For open source software, security attention frequently focuses on the discovery of vulnerabilities prior to release. The large number of diverse people who can view the source code may find vulnerabilities before the software product is released. Therefore, open source software has the potential to be more secure than closed source software. Unfortunately, for vulnerabilities found after release, the benefits of easy access to source code may now work against open source software security. Attackers may be more likely to exploit discovered vulnerabilities since they too can view the source code and can use it to learn the details of a weakness and how best to exploit it. This research compares exploitation attempts based on vulnerabilities in open source software with those based on closed source software. Empirical analysis of two years of security alert data from intrusion detection systems assesses the relationship between open source and risk of vulnerability exploitation.