A report
says that Open Source Software is more vulnerable than Closed Source:
Advocates of the open-source process often claim that their products are more
secure thanks to the larger number of people poring over the code
This is one of the most widespread fallacies about Open Source code.
The truth is that Open Source developers spend much more time writing code than
reading it. And it makes sense, right? You are most likely
contributing to an Open Source project to have some fun on your spare time, and
what fun is there in trying to make sense of code written by an unknown
developer living probably on a different continent than yours?
Since there is no fun in doing that, there needs to be an incentive, like
money. The bottom line is that fixing security flaws in Open Source software can
only happen if the project is backed by a company that is actually paying a
salary to the members of the project, and if the said company has a clear
interest in having this security hole plugged.
Short of having that, Open Source is just as unsafe as Closed Source is. [Otaku, Cedric’s weblog]
Yes. All source code has the potential for security flaws. The real differentiator for open source is the sheer speed with which flaws are tackled once discovered. Its usually on the order of days. Compare the amount of time it takes the FreeBSD team to release an operating system patch once a hole is found with, say, your favourite proprietary desktop operating system.
Open source projects also tend to generate more loyalty and pride of workmanship from their developers, so a higher level of care tends to be taken over the work. Paraphrasing (poorly) from somewhere, you’re only as good as your last commit. When all the world can see your code, bad as well as good, would you not be a little more hesitant about releasing cruft?
Darren Hobbs 