The open source is like preparing for a debate, and asking your five smartest friends to poke holes in your ideas so that you may improve them and be well prepared.
The proprietary approach is like preparing alone, showing up for the debate and having your opponent points out of the flaws in your reasoning and publicly embarrassing you.
By not relying on security through obscurity. It is not necessary to, and is a bad practice anyways. This latter is commonly referred to as called [Kerckhoff’s principle.](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle)
Please note that open source, libre/free, and source-available software are still commonly exploited. It is a widespread misconception that since the code can be independently reviewed, it is being reviewed. Even for those projects that it is, reviews don’t necessarily translate to caught vulnerabilities, severe or low-hanging.
Source code leaks are typically an intellectual property (IP) theft concern, not a security one.
Typically with open source stuff, a LOT of people take a look at the code. And a LOT of people will have suggestions that might be really good.
With closed source software, the eyes on it will be pretty much only the development team, which could be as few as one or two people. But even if it’s 20 or 50 people, it’s still fewer eyes reviewing the code than an open source project.
Also I’ve always suspected that telemetry is a huge vulnerability. Consumers tend not to like telemetry, while companies do. But with open source, it’s easy to remove all telemetry, and improve privacy and security.
Open source = more eyes = more people to spot vulnerabilities/flaws. Programmers can see how open source software works and can point out vulnerabilities to the code maintainers. Closed source software has less people reviewing the code so less people to spot vulnerabilities. The result is that closed software may have flaws that only become visible when code is leaked.
First off, there are a lot more eyes on open source code than closed source. Which means that potential vulnerabilities have a much higher chance of being found and patched in very short order.
Second, open source software cannot obscure such vulnerabilities. People can see them, write blogs & reviews about them, and openly criticise the developers for not patching or fixing them. With closed source, the developers can simply ignore known vulnerabilities and hope that they won’t be discovered or exploited in the wild. However, this is unethical, and is considered bad practice as it violates the trust between developers and consumers.
Third, just because you know what security measures are in place, does not mean that you have the capability of defeating them. Typically hackers gain access to a system by finding and exploiting a bug or vulnerability in that system that has not been patched. If no such bug or vulnerability exists, then the software cannot be hacked in this way. However, hackers do often exploit the human element to gain access to a system. This is something that cannot be patched, and is far more common.
The main threat that comes from source code leaks is revealing proprietary code that competitors could potentially replicate. It also exposes vulnerabilities that developers have obscured and can damage their public reputation. Additionally, a source code leak usually implies that there was a lapse in security that allowed such a leak to happen in the first place. Which also hurts the company’s public image.
Closed source code is not likely written to be robust and hack/crack resistant as it relies more on fulfilling its purpose and trust the cryptography / obfuscation won’t be break . Open source code starts with the premise it should be built robustly ( at release or have a great foundation to be easily secured/modernized , modular and so ) .
> Typically a source code leak is a safety danger.
Rather the opposite. The more people see the source code, the higher the likelihood of discovering bugs. All the users of a piece of software have an incentive to uncover bugs, and important software can many millions of users. A piece of closed source software is only checked by the small group of people working on it, often under extreme time pressure.
> all safety measurements can be plainly seen?
Security does not rely on hiding the mechanism. “Security by obscurity” is widely derided in the industry, with good reason.
Latest Answers