Is open source software more secure than proprietary software? In a word, “yes.” However, will using open source software solve your security needs? The answer is a resounding “no.” Many people believe security is a functionality of software. But network security is a process, not a checklist on the side of a software box.
Having said that, I believe that the open source development model does create software with significantly fewer exploitable holes than proprietary software. Ive been developing software for more than 15 years, much of it — in my earlier days — proprietary. I know that programmers of proprietary software leave holes and take more liberties than open source programmers. The reasons are simple: Their management and marketing departments are screaming for the code to ship, doing it right is harder than doing it quickly and, after all, they think, who is going to know? Ive been in this situation myself.
On the other hand, most open source software is written by people for whom programming is not a chore. Its a craft, and they take great pride in doing their work properly. Away from the demands of marketing and management, they are able to create the code that they want to write, not the code that will make the most money. The difference in the quality of the code produced by the two methods is staggering.
Proprietary software vendors claim that corporate reputations and the reputations of their developers are at stake with regard to security, but corporate reputations are easy to repair. After all, the “Love Letter” virus that exploited a security design blunder in Microsofts e-mail client was responsible for millions of dollars in lost productivity and lost data — an error that would have been avoidable if the code had been open to peer review. Yet Microsoft is still in business. With open source, developers personal reputations are on the line. Theres no corporate public relations spin machine to hide behind.
Also, consider the reasons for security alerts. Most often, a security alert is issued for a proprietary software package once a cracker has created and published an exploit to take advantage of a problem. Most open source security alerts are issued because of third-party audits, not published exploits, and an alert is published in the spirit of openness to notify any users of the broken software about upgrades.
But dont take my word for it. Look at the insurance industry. A Michigan insurance company has raised hacker insurance premiums for sites running Microsoft Windows NT to up to 15 percent more than those for sites running Linux. Insurance companies dont deal in opinions — they deal in facts. Their profits depend on it.