Select Page

Logo Open Source Initiative

In 2006, the Department of Homeland Security partnered with a software code analysis company called Coverity to examine open source code for security vulnerabilities and software defects. Each year since, Coverity has published a report on the quality of open source code, and each year, the company has found that it isn’t that different from proprietary software. That seemed to settle the issue.

But the latest report, published on Wednesday, found something new: the code quality of open source projects tends to suffer when they surpass 1 million lines of code, whereas proprietary code bases continue improve when they pass that mark.

The Coverity Scan tool performs automated static analysis of code bases, looking for defects such as resource leaks, illegal memory access, and control flow issues. It’s free for open source projects and available to proprietary software vendors for a fee. Coverity drew on its user base for the report, analyzing 118 active open source projects and 250 proprietary projects.

The study found that open source projects have an average of .69 defects per 1,000 lines of code, while proprietary projects have about .68 defects per 1,000 lines. But when projects were compared based on the total number of lines, some intriguing differences emerged.

Weekly Security Update Subscription

Weekly Security Update Subscription

If you use a computer, you need up-to-date security information. Craig has been providing eSecurity consulting for more than 20 years, and now runs the FBI's InfraGard webinars. There isn't a better source to keep you up-to-date with the latest, most important tips and warnings to keep your computers and network safe.

Join the hundreds of thousands of people who get the most important weekly eSecurity information from Craig every month. It's free, it's easy and I never SPAM.

Keep an eye on your email box every Saturday morning around 9 am Eastern Time for your weekly newsletter. Add me@craigpeterson.com to your whitelist if it doesn't show up.