It's all about auditing. The more people who can look at the code can find AND FIX any bugs. And the bugs do get fixed. For historical evidence of that look at how quickly the Linux kernel was fixed when the "teardrop" bug was revealed. It took Windows much longer to release a patch. There are probably more recent examples, but that's the first one that comes to mind that effected both open and closed source software. This is the excat same reason that professional software developers have code reviews. Many eyes make all problems simple. Scott Michael Long said:

Hi,

During a discussion with an application architect, while trouble shooting SQL Servers "security" behavior, he asked how an application can be more secure when anyone can view the security related code. I thought this was self evident, but I guess it is not. I was wondering how others would answer this question?

Thanks, Mike

_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug

On Fri, Mar 12, 2004 at 11:09:37AM -0500, Michael Long wrote:

guess it is not. I was wondering how others would answer this question?

I was working at RSA Security for a while, and my manager gave me the same sort of line: We make security products here, you definitely don't want that open source! <some other reference about open source being less secure> My response was along the lines of: Actually, that's _exactly_ the software I would want open source. Security through obscurity (which is what most non-open source relies on) doesn't work. He wasn't happy. <G> Anyway, yeah, "real" security people want as many people looking at their code/algorithm/etc as possible to make sure it's secure in and of itself. There's reasons that things like MD5, SHA1, AES, etc, all went through a rigorous review process before they're made a "standard". -- Randomly Generated Tagline: s Blind, Lingerie makes Great Braille!