“Open source” does not mean “more secure”

One of the stupidest lines of the pro-open source crowd is that open source code is more secure than closed source. The reasoning is that since everyone and his brother and roommate can review the code, it is unlikely that security holes will go unplugged.

The reality of open source is that, generally, everyone and his brother and his roommate can modify the code. Who guarantees that these people are competent and have good intents? Nobody. Who guarantees that a competent person reviews the code? Nobody. Even if that code appears secure, there is no guarantee that anyone understands how it impacts the security of all other code within an application or in other applications.

The biggest open source project of recent memory is the FireFox browser. It’s a pretty good browser. I use it. But it has already had three security revisions. The security problem is so serious that FireFox marketers are already in damage control mode.

FireFox may be more secure than Internet Explorer, but it gets this security by leaving out many of IE’s features. Suppose you got a current version of IE (with all patches installed) and disable or remove these extra features. Would it be less secure than the current version of FireFox? I doubt it.

Open source is not a guarantee of more security. Regardless of whether it is open or closed source, all software must be carefully scrutinized. No software should be fully trusted.

Leave a Reply

Your email address will not be published. Required fields are marked *