I’m all for open source software so it can be understood, developed, and used by more people than if it was proprietary. However, I don’t get how it can be secure if malicious actors have access to the source code and the entire software package to practice their attacks against?
In: Engineering
The theory is that “many eyes find all bugs” but that’s demonstrably bullshit. All software has bugs and they’re a lot easier to find if you have the source code.
A good example is SQL injections. You don’t know how the developer has sanitized form input so without the source code you have to try a jillion things to see if anything works. But with the source code…easy peasy.
Having said that, zero days and bugs in OSS generally get patched sooner because there’s a lot of transparency around them. Whereas companies with their own proprietary code can, and do, sit on bug reports for a very long time which allows those who know about it to happily exploit it a lot longer.
There are examples of pros and cons to both.
Latest Answers