From the ‘Fun Studies‘ files:
We’ve all heard the the cliche that more eyes lead to more secure code when it comes to open source — but is it true?
The latest attempt to answer that question comes from code scanning vendor Veracode.
The Veracode study found that in aggregate 58 percent of all applications that they scanned did not have an acceptable security score (meaning they had some risk).
Digging deeper 39 percent of Open Source applications and 38 percent of commercial apps did have an acceptable score according to Veracode when mapped against the CWE/SANS Top 25 Most Dangerous Programming Errors (I reported on that list a couple weeks ago).
Ok then, that’s not all that impressive.
What was impressive from my perspective is the remediation time.