@inproceedings{5625,
  abstract     = {{The increasing availability and deployment of open source software in personal and commercial environments makes open source software highly appealing for hackers, and others who are interested in exploiting software vulnerabilities. This deployment has resulted in a debate ?full of religion? on the security of open source software compared to that of closed source software. However, beyond such arguments, only little quantitative analysis on this research issue has taken place. We discuss the state-of-the-art of the security debate and identify shortcomings. Based on these, we propose new metrics, which allows to answer the question to what extent the review process of open source and closed source development has helped to fix vulnerabilities. We illustrate the application of some of these metrics in a case study on OpenOffice (open source software) vs. Microsoft Office (closed source software).}},
  author       = {{Schryen, Guido and Kadura, Rouven}},
  booktitle    = {{24th Annual ACM Symposium on Applied Computing}},
  keywords     = {{Open source software, Closed source software, Security, Metrics}},
  title        = {{{Open Source vs. Closed Source Software: Towards Measuring Security}}},
  year         = {{2009}},
}

@inproceedings{5647,
  abstract     = {{Reviewing literature on open source and closed source security reveals that the discussion is often determined by biased attitudes toward one of these development styles. The discussion specifically lacks appropriate metrics, methodology and hard data. This paper contributes to solving this problem by analyzing and comparing published vulnerabilities of eight open source software and nine closed source software packages, all of which are widely deployed. Thereby, it provides an extensive empirical analysis of vulnerabilities in terms of mean time between vulnerability disclosures, the development of disclosure over time, and the severity of vulnerabilities, and allows for validating models provided in the literature. The investigation reveals that (a) the mean time between vulnerability disclosures was lower for open source software in half of the cases, while the other cases show no differences, (b) in contrast to literature assumption, 14 out of 17 software packages showed a significant linear or piecewise linear correlation between time and the number of published vulnerabilities, and (c) regarding the severity of vulnerabilities, no significant differences were found between open source and closed source.}},
  author       = {{Schryen, Guido}},
  booktitle    = {{15th Americas Conference on Information Systems}},
  keywords     = {{Vulnerabilities, security, open source software, closed source software, empirical comparison}},
  title        = {{{Security of open source and closed source software: An empirical comparison of published vulnerabilities}}},
  year         = {{2009}},
}