Open Source Security: Still a Myth
Subject:   Interesting but somewhat meaningless
Date:   2004-09-17 10:51:32
From:   stonehippo
The entire argument for whether closed or open source produces more secure code is highly flawed, and for the exact reason that is stated early on in this article: the question must be handled on a case-by-case basis. Discussing the generalities of which process produces more secure software is an almost useless exercise: the particular team creating the software, their knowledge, skills, and inclinations, combined with processes, are what determine the quality of a software product.

The idea that there is a unified "open source community" is laughable; it's no more true then saying that there's a unified closed source world. While many of the people involved in F/OSS development share some basic ideals about how software should be developed, the re's nothing that guarentees that they're all competent. The same is entirely true in the closed source world: if a group of developer's pay attention to security and has the skill to really identify issues in the code, then holes will be closed.

I agree that too much has been made of the "many eyes" argument. However, there is some validity to the idea of "selected eyes".

An advantage of open source in this arena is that independent auditors may choose to check for security issues and bugs in the code, and can fix them when they are found. With closed source, something like this requires a special arragement with the rightsholder. Note that this does not make the F/OSS software more secure by default; if no one with the right skills is looking at the code, holes won't be found. But at least a company or individual has the option to commence such an audit independantly. It for this very reason the groups like the NSA have adopted Linux; they don't expect that the community at large has the expertise that they have in house, but they can leverage the work of the community and avoid re-inventing the wheel.

The fact is, some F/OSS projects are mature or lucky enough to have their own processes for finding and fixing security issues: the OpenBSD and Mozilla Firefox projects have both had active, and fairly successful, security activities. Others are not. At the same time, there are plenty of examples of closed source projects and products that have received diligent security fixes (and some notable ones that have not). It's not a question of open or closed source: it's a question of thinking about security or not.