Open source *more* secure?
by Paul Vixie
I seem to read all the time that open source projects must be less secure, since the bad guys can look through the source code to find vulnerabilities. I was pleased to see an article today that takes the point of view that security through obscurity is not the right direction and that open source projects can be more secure than competing proprietary software.
Ram Mohan has written an article "In Defense of BIND: Open Source DNS Software Yields a Better Breed of Secure Product" that is quite worth a read.
Comments
Open source is a great initiative, you never see advertising on the television going "I am a PC and Open Source was my idea!"
The reason's for that are simple enough, the open source community is driven by the desire to create, innovate and produce something of benefit to that entire community, it is not driven by the desire to increase the size of it's bank balance. Security through obscurity is the reliance on the secrecy of the implementation of a system or components of a system to keep it secure. Security though obscurity is a weak security control, and nearly always fails when it is the only control. This is not to say that keeping secrets is a bad idea, but that the design or logic of the security control should be based on open and known principles.