Open-Source Software Feels Insecure
At first glance, this seems like a particularly dumb opening line of an article:
Open-source software may not sound compatible with the idea of strong cybersecurity, but….
But it’s not. Open source does sound like a security risk. Why would you want the bad guys to be able to look at the source code? They’ll figure out how it works. They’ll find flaws. They’ll—in extreme cases—sneak back-doors into the code when no one is looking.
Of course, these statements rely on the erroneous assumptions that security vulnerabilities are easy to find, and that proprietary source code makes them harder to find. And that secrecy is somehow aligned with security. I’ve written about this several times in the past, and there’s no need to rewrite the arguments again.
Still, we have to remember that the popular wisdom is that secrecy equals security, and open-source software doesn’t sound compatible with the idea of strong cybersecurity.
Spaceman Spiff • June 2, 2011 12:26 PM
Yes, the old myth of security by obscurity at its best. Bruce, you have been trying to educate people for years that security by obscurity is no security, and I laud you for it. Unfortunately, I don’t think it matters how much you beat that drum. People are always going to look for the easy answers, even if there aren’t any. 🙁