A customer told me the other day that he had heard that open source was more secure than traditional or closed source code. Of course I couldn’t provide a simple yes or no because that wasn’t possible, instead I provided a lengthy oratory along the lines of:

Open source by itself just means that the underlying source code is available for other developers to see and change (of course all of the licensing behind it is in itself its own topic). So its logical to say just because the code can be looked at doesn’t mean its more secure. In fact if the source code isn’t actively reviewed and changed, open source is actually less secure than closed source. To exploit closed source you have to probe the outside of an application to look for vulnerabilities and then try to exploit them, and never knowing exactly what is written underneath its more of a trial and error process and can be more time consuming. Whereas if you have the source code right in front of you, you can simply read the code and look for areas in which it is deficient so you can then exploit them.

Where open source gains an advantage against closed source, let’s say Linux vs. Windows, is where you have an active development community supporting the open source project. If you have thousands of talented developers tinkering with and reading/re-reading source code they are more than likely produce more secure code than Microsoft can. However if you have an inactive community or a community focused more on features than security you’ll have software that is inherently more vulnerable than closed source just by virtue of the source being open.