Monday, March 16, 2015

Beating The Open-Source-Is-More-Secure Straw-Man

Given all of the serious security flaws in open source software lately, such as OpenSSL, it has been frequent subject of posters to use the open source hack-du-jour as a counterexample to a purported claim that "open source software is more secure" than proprietary software.  And I just saw it come up again the other day:
The problem with these statements is it seems to be a rampant straw-man.  When I see them come up, I wonder, "Who in the world is actually making the positive claim that open source software is, in fact, more secure than proprietary software?"  Is someone actually making these claims that are being "countered"?  On what basis could they even make such a claim?

So, I started to search for specific examples of specific individuals making this specific claim that "open source" is "more secure" and I found it more common to claim someone believes this than to cite actual examples.

I've found a lot of discussion of the topic, such as this treatment from David A Wheeler "Is Open Source Good for Security?." But even in those discussions, nobody quotes a specific person making this specific claim. Is everyone arguing with a straw man? Many articles have been written to debunk this "myth" of software security (this yields over 2 million hits in Google), yet not a single one seems to cite any source to back up the fact that this is even a myth at all? The best I found was Jon Viega's piece from 2004, "Open Source Security: Still a Myth" where he actually refers to nameless people he's encountered as believing this, but with David A Wheeler as being the only named proponent "Why Open Source Software / Free Software (OSS/FS, FOSS, or FLOSS)? Look at the Numbers!."

Much of the genesis appears to be an extrapolation of Eric S Raymond's famous assertion that, "given enough eyeballs, all bugs are shallow", which certainly does not seem to hold up in the general software defect case let alone security defects. I'm not sure how many actually believe that this is true in general these days, or even whether it is common for the average developer to believe that it leads to better security. It certainly does not seem to be a common "myth" that is promulgated by promoters from my searching - it's more the detractors that promote it as a myth.

Anyone know who the main proponents of this "myth" are these days?  Why aren't they called out in articles?