Comment by urbandw311er

3 years ago

Genuine question : do you feel that FOSS is at a disadvantage when it comes to security/threat prevention? The hypothesis would be that potential attackers are able to gain the advantage by being able to fully review the source in advance and leverage potential weaknesses. (Or worse, contribute to the project and inject weaknesses)

6 comments

urbandw311er

EUROCARE 3 years ago

It's the other way around. Only FOSS code has the ability to gather reviews, improvements and fixes from the general public. Security through obscurity is not security.

madacol 3 years ago
> Security through obscurity is not security
I've never felt comfortable with that argument
Yes, if you are a big corporation, and you have many employees with eyes on the code, there's no obscurity when an employee goes rogue, you are wide open.
But if you are the only person with access to the code, obscurity works
- EUROCARE 3 years ago
  
  Obscurity doesn't work because someone will find the hole, they don't need the source code.
- imtringued 3 years ago
  
  This is how companies justify not patching security vulnerabilities.
  
  1 reply →

imtringued 3 years ago

That is a nice hypothesis. The real world isn't that nice. You are assuming that proprietary software vendors care about fixing security vulnerabilities. Most of them don't and they will sue you if you make the foolish mistake of not contacting them anonymously.

The truth is that hiding source code is the security barrier for most proprietary software and nothing else.