Commercial code is more compliant to security standards than open source code

A new report details the analysis of nearly 10 billion lines of source code through the Coverity Scan service and usage of the Synopsys Coverity Software Testing Platform.

For the report, the company analyzed code from more than 2,500 open source C/C++ projects as well as an anonymous sample of commercial projects in 2014.

Based on static analysis defect density, open source code outpaced commercial code for quality in the 2013 report, and this trend continues in 2014.

This year the report also compared security compliance standards such as OWASP Top 10 and CWE 25, and found that commercial code is more compliant with these standards than open source code.

“Open source projects are often driven to solve a problem, for and by technical people. Commercial software steps in at a different level and focuses more on “business problems”. Therefore, the conclusion which Coverty shares, makes sense to me,” said Michael Boelen, founder of security firm CISOfy. “It is something I personally experienced with Lynis. When there was only the open source product, compliance was not the highest priority. With the introduction of Lynis Enterprise, the request for compliance got a boost.”

Defect density (defects per 1,000 lines of code) of open source code and commercial code has continued to improve since 2013. When comparing overall defect density numbers between 2013 and 2014, the defect density of both open source code and commercial code has continued to improve.

Open source code defect density improved from 0.66 in 2013 to 0.61 in 2014, while commercial code defect density improved from 0.77 to 0.76.