Open-Source Security Comes Under Fire - Page 2

: Open-Source Security Comes Under Fire">

However, many security experts find fault with that argument. The fact is, they say, neither one is inherently more secure than the other; it all comes down to the skill with which the code is written and audited.

"Unless theres a great deal of discipline underlying the development, theres no difference in the security. Open source is not inherently more secure," said Peter Neumann, principal scientist at SRI International, in Menlo Park, Calif., and a security and networking expert. "If everyone has the same bad skills, all the eyeballs in the world wont help you. Unless theres discipline, you still come up with garbage."

However, the CERT statistics dont necessarily tell the whole story. CERT does not issue an advisory for every new vulnerability. It tends only to focus on the high-risk issues that are likely to affect a broad base of users, such as the flaw in OpenSSL, which later spread to the Slapper worm.

Microsoft, for example, issued 11 bulletins about new vulnerabilities in October alone.