Open Source vs. Closed Source
#1
Which type of software would you prefer using? Open Source or Closed Source? I would much rather to prefer using Open Source because one of the main things is that it's free. It may also come as more secure because it gives security researchers an opportunity to evaluate the code and look for any bugs or vulnerabilities that may be in it. 

So what is everyone else's views, opinions, or statements regarding this?
Reply
#2
I don't know of anyone who prefers closed source. Only instance I can think of when it's a specific closed source application versus a specific open source application (Example, Photoshop vs GIMP). But I still think people would prefer photoshop, as is, in an open source platform. But there is less money in open source, at least not enough money for companies like Adobe.
Reply
#3
(01-09-2016, 09:38 PM)Nerdie Wrote: Which type of software would you prefer using? Open Source or Closed Source?

I prefer the software that works.


(01-09-2016, 09:38 PM)Nerdie Wrote: It may also come as more secure because it gives security researchers an opportunity to evaluate the code and look for any bugs or vulnerabilities that may be in it.

This is a common sentiment but the reality is as you said it only 'may' offer more security. Even if the code is clean you also need to know that the binary you use came from that same source code or compile it from source yourself (how often do users do that?).

This is naturally assuming the code is even looked at by researchers. For the majority of projects there is little benefit to actually examining the code base, sure there are some bounties, some possible exploit sales, it might be run by a target, or just widely used so a bit of fame or fun for finding a serious issue. The majority of projects don't fall into those categories, or even if they do there can be other barriers to consider, language and density of the code, complexity of the algorithms in use are all limiting factors to the researchers who might examine the code. The real security comes from the security considerations and practices of the developers regardless of being the open or closed source project.

Though closed source has the benefit of usually being funded, they can have the funding to enforce code reviews before the code is put into production. They can afford to spend money hiring researchers to test and review the code, or afford to pay out bug bounties to encourage he public to test their applications (even without providing code). In an employment scenario its also much easier to enforce coding standards something an OSS project may struggle with and those standards may(or may not) assist with the discovery or prevention of issues.

Ultimately, it comes down to the developers writing the software. Bad development practices leads to insecure code.
Reply
#4
(01-12-2016, 11:04 AM)dropzone Wrote:
(01-09-2016, 09:38 PM)Nerdie Wrote: Which type of software would you prefer using? Open Source or Closed Source?

I prefer the software that works.


(01-09-2016, 09:38 PM)Nerdie Wrote: It may also come as more secure because it gives security researchers an opportunity to evaluate the code and look for any bugs or vulnerabilities that may be in it.

This is a common sentiment but the reality is as you said it only 'may' offer more security. Even if the code is clean you also need to know that the binary you use came from that same source code or compile it from source yourself (how often do users do that?).

This is naturally assuming the code is even looked at by researchers. For the majority of projects there is little benefit to actually examining the code base, sure there are some bounties, some possible exploit sales, it might be run by a target, or just widely used so a bit of fame or fun for finding a serious issue. The majority of projects don't fall into those categories, or even if they do there can be other barriers to consider, language and density of the code, complexity of the algorithms in use are all limiting factors to the researchers who might examine the code. The real security comes from the security considerations and practices of the developers regardless of being the open or closed source project.

Though closed source has the benefit of usually being funded, they can have the funding to enforce code reviews before the code is put into production. They can afford to spend money hiring researchers to test and review the code, or afford to pay out bug bounties to encourage he public to test their applications (even without providing code). In an employment scenario its also much easier to enforce coding standards something an OSS project may struggle with and those standards may(or may not) assist with the discovery or prevention of issues.

Ultimately, it comes down to the developers writing the software. Bad development practices leads to insecure code.

Excellent post, this pretty much describes my sentiment towards the question.
Reply