Open Source Security

Bruce Schneier in one of the interview, talked about the safety of open source verses closed source.

Are open source products more secure than closed source?

Schneier: It's more complicated than that. To analyze the security of a software product you need to have software security experts analyze the code. You can do that in the closed-source model by hiring them, or you can do that in the open-source model by making the code public and hoping that they do so for free. Both work, but obviously the latter is cheaper. It's also not guaranteed. There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis. When open-source code is properly analyzed, there's nothing better. But just putting the code out in public is no guarantee.

Personally, I do not really believe in the myth of security in open source code. Linus Torvald once said, "Given enough eyeballs, all bugs are shallow". It seems to work reasonably well in the open source realm over the last decade or two. However, in the land of software security, we sometimes don't seem to have enough interested "eyeballs", even less well-trained "eyeballs". If what powers open source movement is fundamentally "hackers scratching their own itches", security is usually not on every coder's agenda. There might be many independent groups auditing some of the most popular open source software, but majority of OSS still lacks security analysis. Especially with OSS, where every infant programmers can release his/her work and involve in someone else's projects, and code is usually released pre-maturely, I've seen lots of open source software that did not put security into their designs.

At the end, it might be just as what Bruce Schneier has suggested - whether you want expensive expert analysis, or cheap/free not-guaranteed open analysis. It is not about what kind of license you have released your software under, but who has looked at your code.