Open source software and security

There has been much public debate on the security merits (or weaknesses) of open source software when compared to proprietary software. These debates have frequently been driven by emotional arguments triggered by the numerous high visibility worms and viruses that have exploited vulnerabilities in desktop systems to disrupt networks.

Open source advocates have argued that open source software is inherently more secure because fixes for uncovered design flaws are quickly distributed and made available. They further argue that early and intense code review promotes the development of better quality code.

The counter argument is that, while it may be true that bugs are fixed more quickly in Open Source, a collaborative, community-based development model is not a replacement for a sound system design.

Proprietary software advocates have argued that open source software is inherently less secure because hackers have access to the software intended to protect system data and can easily find and exploit existing design flaws.

While keeping secrets usually does not hurt security, secrecy of the source code or security methods (security by obscurity) provides weak protection and therefore does not support the argument in favor of proprietary software.

Deploying a clearly visible, strong door lock can protect a house much better than hiding an unlocked door behind a bush and hoping that burglars cannot break in because they cannot find the door. An encryption method should protect the data even when its algorithm is well-known.

As any security expert will attest, the security of a system is directly related to the quality of its intrinsic design and the procedures governing its operation.

So, with regard to supporting security policies, components of your IT infrastructure should be selected based on the soundness of their design, the commitment to security demonstrated by the vendor, and the functionality required to support those policies, not the software development model that produced it.