Robert Graham tackles the myth of open source’s inherent security advantage, one I’ve railed against before:
Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false.
While engineers won’t review code for fame/glory, they will for money. Given two products, one open and the other closed, it’s impossible to guess which has had more “eyes” looking at the source — in many case, it’s the closed-source that has been better reviewed.
Chances that open source enthusiasts will stop pretending this is a real advantage: zero.