RE: Why open source software is more secure

[Craig Wright <Craig.Wright () bdo com au>]

Most secure software is not OSS. The few pieces of really secure code I have seen all belong to:
A       Military - specialist systems (missile guidance etc) that do not reflect most code
B       Selected Casino operations

There is relatively secure or insecure code in all areas. There is little if any correlation to OSS or not. Some 
individuals write good code. Some of these write OSS, some write for vendors.

Regards,
Craig Wright GSE-Compliance

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alexander Klimov
Sent: Tuesday, 13 May 2008 12:44 AM
To: security-basics () securityfocus com
Subject: Re: Why open source software is more secure

It is not clear what is "more secure". For example, if we define
that software is secure if it has no exploitable bugs, then it
is either secure or it is not.

I suspect that there is only a small number of non-trivial
secure software and all of them are happened to be OSS -- this
is not because open process magically makes software secure, but
because these specimens were written by security zealots.

Why most of software is not secure? It is very simple to answer:
because nobody really cares (even if they claim they do,
"normal" people do not behave accordingly). Most of the users do
not care and thus commercial software is not secure (by the way,
according to EULA liability is usually limited to the price you
pay to get the software); most of the developers are not
security zealots and thus OSS software is not secure.

--
Regards,
ASK