Is Open Source Really Insecure?

To go Open Source or go proprietary? There is a common conception that open-source is unsafe and insecure and therefore companies should rather go for proprietary solutions. They think that because software is termed "open-source", that the world can see the vulnerabilities of the software and might exploit it, and less informed people tend to think that open-source software can be modified while it is running.

Let's first discuss my last comment: Open source software can be modified while running... Let's look at the normal procedures of producing software. You write the code, compile it, assemble it (depending on your compiler, some compilers might do the assembling stage together with the compilation), and run it. By the time you run it, it is in machine readable format, and loaded into memory. If you change the code, you'll have to go through the building process again and load the new version into memory for the changes to take affect. So one way to change a running program is to manipulate the (machine) code in memory. Surely this can be done if you're smart enough, but this can be done with any software, even the big proprietary names out there. Maybe because software is open source, it gives a hacker easier access to analyse the code and develop and test methods to do harm, but I still think it's just as easy to do harm to proprietary software. People smart enough to do this will surely be able to interpret the machine code produced by proprietary systems as well.

Now, let's look at vulnerabilities exposed by source code that's open to the public. Just as there are people looking for weak points in the source code to do harm, there are also a lot of people fixing these weak points when they spot them. Typically the number of people contributing to a popular open source product outnumber the amount of people working in a team on a proprietary system, which also means there is a lot more minds able to spot weak points. There is also a lot more "testers" from the beginning of the project, as the project is open source, and not like closed source projects where it's limited to a small number of testers before the software is released to incrementally larger groups during alpha and beta testing. The discussion groups are also larger for open-source projects where bugs and weak points are discussed

At one stage not too long ago I've overheard a conversation where a solutions architect, trying to sell a popular proprietary solution to the CIO of a fairly big company, tried to convince the customer when he asked about open-source by saying that "open-source doesn't belong to everybody, it belongs to nobody". Yes I might agree in the case of smaller "hobby" type projects, but I can think of some big names that goes a fairly long way in helping to develop and improve open source systems, and who even gives commercial support for such systems. You'll get many companies giving commercial support for only one open source product and all of them helping to improve that product.

Let me give an example. There are many companies giving commercial support for Firefox, a very popular open source web browser. They might develop bug fixes and release it back to the community, or choose to keep it to themselves. The product is open source, so anyone with the knowledge can develop bug fixes and improvements. You choose who will give you commercial support, and you pay them to do the fixes when you encounter some. if you are not happy with them, you can go to someone else. There are really big companies giving support like this. How many companies can give you support and bug fixes with the popular proprietary web browsers out there? Just the company who developed it. We are moving to a service delivery model of doing business, so more and more companies are eager to give you commercial support on open source solutions, as well as delivering enhancements to the many great open source products out there. I'm just trying to prove that open source does indeed belong to "somebody", and that is everybody, without any sacrifices on security.

Please comment on this article and let me know what you think regarding the topic, and if you disagree, then why you disagree, or if you agree, then provide us with some more supporting points.