» ‘Cliché: open-source is secure’

Robert Graham tackles the myth of open source’s inherent security advantage, one I’ve railed against before:

Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false.

While engineers won’t review code for fame/glory, they will for money. Given two products, one open and the other closed, it’s impossible to guess which has had more “eyes” looking at the source — in many case, it’s the closed-source that has been better reviewed.

Chances that open source enthusiasts will stop pretending this is a real advantage: zero.