Open Source versus Closed Source

I am getting sick of the pointless debate over which is more secure: open source or closed source software. Simply by being one or the other does not ensure a proper implementation.

I prefer open source, but in the following I will attempt to only list facts.

The number of companies jumping on the bandwagon has blurred the definitions, so in the following I shall use the this definition: closed source is any software product to which a normal end user has no view into the source code of the product.

Open source software is any piece of software where a normal end user is granted a full view into the source code and has the option to modify this code for his or her own purpose. Various puppy tricks by Apple and Microsoft where they make a small snippet of code available to a select audience, without the option of modifying it is not open source.

Closed source software

The biggest downside of closed source software is that you have no idea how it was made. You must accept the word of a software vendor for the quality of their own product.

Large commercial vendors have, in theory, the resources to create quality assurance processes that include strict guidelines for programmers combined with design and code reviews to avoid security and reliability flaws from sneaking in. This is very expensive and may postpone the release of new products by weeks or months. It is cheaper to spend 200 hours fixing security and reliability problems found by customers than spending months fixing poor code which may or may not turn out to be a problem.

Software vendors do internal risk management. Until software vendors see significant risk in releasing low quality software (e.g. get dragged into court when their software fails), this will be the approach they will continue to take.

Commercial vendors have, in theory, the resources to respond very rapidly to severe reliability or security problems in their software. They should be able to provide manned contact points on a 24 by 7 basis. They should be able analyse a problem and have a fix ready in hours.

It takes little to medium skills to find security holes in closed source software. It takes very advanced reverse engineering and assembly language skills to fix closed source software. Often the license prohibits you from modifying the product.

Open source software

The biggest downside of open source software is all the clueless fanatics supporting the cause. The upside is, if you have the skill and time, you have an excellent view into each and every aspect of how the application works.

Most open source projects are being worked on by developers who do it for fun and in their own time. Most projects have no funding or financial support. There are often no official code reviews or quality assurance processes in place.

With the correct knowledge it is quite trivial to find security problems in open source software. With the correct knowledge, it becomes trivial to use this information for evil purposes. With the correct knowledge, it is quite trivial to fix these problems.

The fact that the source code is available for anyone to review does not instantly make the software free of design or implementation problems. If someone with the required knowledge sits down and reviews the product and feeds corrections back to the maintainer, it will help.

When security problems are found in open source software, the fixes are often available within a matter of hours. Vendors of distributions that include the software can sometimes be much slower.

The GNU and BSD projects have code reviews in varying degrees, of which OpenBSD is probably the most well known and their efforts have paid off.


Your focus should be on aspects you can verify such as quality of design and implementation, support -- for free or for a fee, and their capability to fix problems.

Let's move away from the open versus closed debate and instead ensure that as many vendors as possible deliver quality software. In an ideal world, one would settle on OpenBSD over Windows simply because of personal taste, not because one suffers from a history of excessive security problems.