One of the most misunderstood aspects of the Open Source Software (OSS) development model is the security benefits it offers. OSS security relies on genuinely hardened code that is tested by a large number of reviewers in a wide variety of circumstances. Linus Torvalds simply noted, "talk is cheap, show me the code."
Reliance on Hardening, Not Obfuscation
Hiding code does not prevent attacks—and it it foolish to assume that it does. Open Source development practices rely on actually hardening (or improving the security of) code by making it available for peers to test and try to break, and then fixing the problems found.
OSS is not always more secure, however in both theory and practice the OSS security model has proven that it can more quickly respond to and correct security issues. On average the FireFox project team fixed security issues 37 days after they were found; while Microsoft took an average of 134.5 days to patch security issues they found in their Windows line of products.
Obfuscation relies on attacker ignorance and hides poor security practices. Within five months of the source code release of InterBase version 6, a hard-coded backdoor that had existed for seven years was found by the OSS community and fixed.
Wide Peer Review
Assuming that the goal is to make secure software, it is obvious that the easiest way to find flaws in a project is to make all of the project's code completely transparent. This approach may seem counter-intuitive, if the ultimate goal is anything other than the integrity of the technology.
By openly releasing a project's code and making it readily available via the Internet the community of peer reviewers is expanded exponentially across the globe. The community will quickly find flaws and the project team can take action to fix them. This simultaneously garners exceptionally wide and deep testing feedback from developers who need the code to be as secure as possible for their own use as well as the community's. Both the project owners and community benefit from sharing flaws and fixes.
The 2009 DoD memo expresses confidence in the OSS security model: “the continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.”
Look Good Naked
Jim Whitehurst, Red Hat CEO, summed up the OSS security model by saying, "If we all had to walk around naked we'd all spend more time in the gym." Because the OSS security model is established on industry-accepted best practices and the actual code is widely available, projects are widely reviewed, thoroughly scrutinized, practically improved and quickly hardened.
"Lock-picking is a dying art. Not because basic lock technology has changed all that much since it was invented, but because it's just easier to break a window" noted Kane McLean of BRTRC Technology Research Corporation. "Cyber attacks follow the path of least resistance, if the security obstacles are open and known that becomes a deterrent in itself." When the strength of a project is well known, atteckers tend to search for another path of attack