Simply said: the more people check and look at the source code, the more likely it is that they will find any mistakes and errors in the code.

By making the code available to everybody, the chances are higher that someone will eventually find any such mistake – at least the chances are higher than if you keep the sources secret.

Having the security of a system rely on its design being secret is known as *security through obscurity*. If you want something to be truly secure, you, you should not rely on this. The only things that should be secret are things like passwords and keys for encryption/decryption and authentication. These things work because they are secret, and they can be easily changed if they ever become known.

Consider two ways of protecting valuables in your house. Option A is locking the items in a safe and telling everyone in the neighbourhood that you have safe where your valuables are. Option B is to put your valuables in an unlocked drawer and hoping no one opens that drawer. Option A is way more secure, because just knowing you have a safe doesn’t let you open it. (Yes, technically safes can be cut open, but thats because nothing physical is truly secure). As soon as someone knows you are using Option B, it loses all security.

If your system is actually secure, knowing how it works will not help anyone break it. If it doesn’t need to be secret, then there is no reason to keep it secret. It’s actually better for it not to be a secret, because then others can verify if your system is actually secure and possibly find vulnerabilities and let you know so you can fix it.

> if malicious actors have access to the source code and the entire software package to practice their attacks against?

Everyone else has the same access, so they can fix any vulnerabilities just as easily as the bad guys can find them.

Conversely, bad guys can ‘practice’ their hacks just as well on closed source code, but there is absolutely no way for anyone other than the owning company to fix it, and owning companies are notorious for failing to fix these things in a timely manner. If they don’t see a cheque coming in, they don’t do anything.

Closed source code is generally LESS secure and LESS safe than open source code.

The theory is that “many eyes find all bugs” but that’s demonstrably bullshit. All software has bugs and they’re a lot easier to find if you have the source code.

A good example is SQL injections. You don’t know how the developer has sanitized form input so without the source code you have to try a jillion things to see if anything works. But with the source code…easy peasy.

Having said that, zero days and bugs in OSS generally get patched sooner because there’s a lot of transparency around them. Whereas companies with their own proprietary code can, and do, sit on bug reports for a very long time which allows those who know about it to happily exploit it a lot longer.

There are examples of pros and cons to both.

Simply put, security is not achieved through obscurity. For example, encryption algorithms are well known – the secrecy of communication must not rely on the obscurity of the encrypting algorithm.

IF the software is propriety only your staff can work on said security vulnerabilities.

What you are missing out on open source is that the community will pick up on statistically improbable vulnerabilities a smaller group could catch.

In essence, open source is often more secure, because it is open source.

>I don’t get how it can be secure if malicious actors have access to the source code and the entire software package to practice their attacks against

It’s secure **because** malicious actors have access to the source code and the entire software package to practice their attacks against, which leads to any existing security holes being exploited, which leads to them being detected, which leads to them being fixed.

The best analogy I read is that open source software is like a rat which grew up in the sewers, while closed source software is like a rat which grew up in a sterile scientific laboratory. Which rat do you think would be more resistant and would come out on top?

A perfect example of this is Bitcoin (open source software), which was never compromised in 15+ years since it’s existence, even though the “reward” for doing that would be measured in at least tens of billions of $, while banks and crypto exchanges (closed source software) get compromised every day, for a far smaller “reward”.

Malicious attackers can spend tons of time trying to find vulnerabilities, yes, but an ARMY of people also has access to the code and wants it to stay safe, so they do the same thing and also patch any holes they find.

“Practicing” attacks isn’t really a thing, and even if it was, you wouldn’t need the source code to do it because you would be breaking into the version that’s actually running, not the decompiled version.