The central point of this article appears to be that security through obscurity - MS closed source development model - is better than the underlying force for more secure code, combined with the pressure for fast fixes, created by an open source development.

I don't think this stands up to scrutiny, since only one bad guy needs to discover a security flaw in a closed source product in order to make an exploit available. So security through obscurity is like a locked door to a room full of loot just sitting waiting to be taken - only one person has to break the lock, and that leaves the goodies exposed to everyone else.

The shared development model of open source (or indeed free software) is akin to the room not being enclosed at all, but free for people to walk around, but the goodies all being bolted and welded to the floor. Not only does that mean that one bad guy managing to prise one bit of kit doesn't make any of the rest of it less secure, it also means that everyone can see what's going on the room all the time, and collectively can ensure that all remains intact.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/348/32254#32254