One security glitch per thousand lines of code?

Interesting story in PC World

A US Department of Homeland Security (DHS) bug-fixing scheme has uncovered an average of one security glitch per 1,000 lines of code in 180 widely used open source software projects.

The program, called the Open Source Hardening Project, is sponsored by the DHS and carried out by Coverity and Stanford University. Launched in March 2006, the US$300,000 project was initially launched to review the code of 180 open source software projects frequently used by developers of government websites and application developers.

All the software scrutinized was found to have significant numbers of security flaws, Coverity said on Wednesday. Since 2006 the project has helped fix 7,826 open source flaws in 250 projects, out of 50 million lines of code scanned, the company said.

Eight thousand bugs in fifty million lines doesn't seem to quite justify the one-per-thousand claim, but it's still a lot of security holes found at a modest price.

This does not, of course, directly shed any light on the oft-heard claim that open source software has fewer residual bugs than proprietary software.