Over Half of Software Fails First Security Tests

An anonymous reader writes "Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software. Close to 60 percent of the applications tested by application security company Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing. And this data is based on software developers who took the time and effort to have their code tested — who knows about the others." Reader sgtrock pointed out another interesting snippet from the article: "'The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That's encouraging,' Oberg says. And it was the quickest to remediate any flaws: 'It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,' he says."

Re:Bolting On

[sopssa]

That's probably easy if it's just one guy, but what about when it's several, if not even hundreds of developers? Random patch code in OSS bug-tracking systems can make some other unrelated code insecure because the guy who submitted the patch didn't know everything about the code or didn't check it through and it slipped past the maintainers too. This is especially true in projects with really large codebase or several code branches and forks.