Open-source may be the popular option for developers – but at what cost?

For years, the argument on whether open-source is better or worse than closed-source has been hotly debated, often in philosophical as much as practical terms.

But a new study on software quality aims to dissect – if not settle – the raging debate.

Software intelligence firm CAST analyzed 61 projects and nearly nine million lines of code to pit the quality of open-source software against its closed-source counterpart.

And while CAST found that open-source software (OSS) is generally better quality than that which is developed in-house, these advantages often come at the expense of efficiency.

Projects reviewed included MongoDB, Ethereum, BitcoinJ, Apache Struts, Kubernetes Helm, and Microsoft Orleans.

In the study, open-source software was found to be 9% more secure, 10% more robust, but 7% less efficient than closed-source app – implying that using OSS tends to incur a performance hit.

As open-source components are often stitched into modern applications, this allows development teams to work faster by reusing components, but it can also create risks.

This speed may come at a cost of the robustness, efficiency and, in some cases, security of applications meant to support business functions.

But CAST did find that open-source is usually used to create smaller apps which are easier to manage and fix when problems occur.

Open-source applications with 146,576 lines of code are on average four times smaller than closed-source apps, which total an average of 608,320 lines of code, the study found.

Fewer lines of code mean that the codebase is easier to maintain.

Databases were the least secure open-source projects examined by CAST, flouting the most security rules by being only 86% compliant with industry best practices.

Open-source frameworks put through their paces included Apache Struts, an unpatched version of which was implicated in the infamous Equifax data breach, ranked the lowest at 93.6% compliant, behind web projects at 93.7%.

And while Blockchain apps score high for resilience they are not secure or efficient, CAST’s benchmarking exercise revealed.

“As we saw with the Struts vulnerabilities that ultimately brought down Equifax, software quality issues that prevail in open-source components are more easily exploitable by hackers.

“This report looks to identify many of these software risks that may put organizations on the defensive.”

CAST’s Software Intelligence Report benchmarked the overall quality of OSS compared to software built in-house or by outsourced teams, studying 75,000 source files and 8.9 million lines of code.

The analysis is broken down by language for C/C++ and .Net, JEE and PHP applications, and scores these applications for transferability, robustness, changeability, efficiency and security.

Software apps were benchmarked against the CAST’s Appmarq repository, which contains the structural quality analysis data performed against 1,200+ rules across the same five structural characteristics.