On Sun, 8 Oct 2000, Bud Rogers wrote: > I've always taken for granted the idea that open source was inherently more > secure because it's open to peer review. Linus said "Given enough eyes, all > bugs are shallow." But has anyone ever done a serious study on the subject? > I've seen plenty of emotional arguments and anecdotal evidence, but nothing > that I would consider hard evidence. > > I'm doing a paper on this topic for a graduate level class in Information > Assurance Management. I'm looking for background material for my paper. I > would appreciate any pointers, urls, etc. >
I wouldn't say that open source is guaranteed more secure, since there is no guarantee that the code has been audited. However, the POTENTIAL to be more secure is there, because it CAN be audited by anyone. There is no way closed source can be audited by an independant group, because, well, it's closed. (by independant, I mean a group / person that can choose on their own to review the code, over which the original author has no say). On average, I would guess it is more secure, because so many projects have so many eyes looking at it, but I don't have any statistics. jeff Thought for today: stoppage /sto'p*j/ n. Extreme lossage that renders something (usually something vital) completely unusable. "The recent system stoppage was caused by a fried transformer."
