There’s this constant debate when it comes to applications. Is open source software more secure than proprietary software? Is it the other way round? In a nutshell, my point on the topic is that this comparison is wrong and the metrics are wrong as well. The amount of facts we have is not enough to make a comparison.
Let’s start one argument at a time. The first argument is the one with the many eyes. Open source can be reviewed by many eyes. I won’t go to any real life example (openSSL) but let’s focus on the eyes. There are two distinct problems here. The first is that we don’t know the skills and experience of those people in that project. In simple words, we don’t know if they are infosec professionals for example or if security is a skill they developed in their free time and they have no real world experience. In general, we know by default a few things about those people. But that’s fine because we can search for them and view their results. This can’t be done though for a proprietary software team. We don’t know all the members, skills etc thus we have our second point. So, the many eyes argument is good as long as one can prove that for a given open-source project the team is better of the equivalent proprietary.
Fans of proprietary software will play the card “Linux has more bugs”. This is totally incorrect and this metric will convince my granddad to buy proprietary software but it won’t definitely convince me. Let’s take this argument to browsers to debunk it. On the red corner we have Iceweasel (or chromium or any open source browser you like, I don’t care). On the blue corner we have Explorer (or Spartan, I still don’t care). The next thing is to count the bugs for year 2014. Let’s assume now that the open-source browser you chose has more bugs compared to the proprietary browser. Again, your metrics are faulty. Open-source projects have open bug trackers. On the contrary, on proprietary software you can only find the bugs that were made public. In other words, if I work for Microsoft and I find a critical vulnerability in Spartan, you may never find out, let along count it. So yeah, metrics won’t work here either.
Finally, it’s time to debunk the final argument, open-source languages versus proprietary ones. Since it was brought up recently in an interview, I will use that same argument. NET technologies are more secure than PHP (replace PHP with any language you want). Obviously this metric is faulty again. I can pull the card “PHP is used by the 82% of websites”[here]. I won’t put this argument into play at all though. The problem with security boils down to the development and the developer. Yes, .NET offers by default a number of security countermeasures. PHP, Python etc offer by default a variety of functions that offer the same security countermeasures as well. The first problem is the software development lifecycle and whether or not it is related to security. If you do a secure software development lifecycle, the chances are greater to detect and patch bugs. Moving on, the next essential variable of the equation is the developer. If the developer knows his thing when it comes to PHP it is obvious that his app will be more secure in PHP and he will also develop things faster in PHP compared to ASP or Java. The final part of the equation is that threats are pretty much language-agnostic. As such, this metric is faulty.
As such, I think we don’t have at the time a proper metric to conclude (temporarily) which is more secure and which is not.