Is Open Source Really So Much More Secure By Nature
- 
 The problem here is that the argument isn't something that peer review is going to tackle, because the question is akin to asking why the sky is blue. Open source is so obviously the more secure process, that's no one would understand what needs to be explained. It's like asking for a peer review as to why locking your door is more secure than leaving it ajar. People would be flabbergasted if you asked them such a thing. As I'm shocked now. The question is actually that you want a peer reviewed research paper showing that taking security seriously and providing mechanisms to encourage security both technically and through human/business/peer/market pressure rather than using obscurity to hide mistakes and remove pressure to be secure is more secure? Literally the big difference between the two is "one is about promoting security, and one is about undermining it." That's what we are actually discussing. 
- 
 Here's another great way to look at it... The desire for a peer reviewed article to prove the point is telling. When it comes to security, you want peer review. But that's the point of open source: peer review. 
- 
 @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: Here's another great way to look at it... The desire for a peer reviewed article to prove the point is telling. When it comes to security, you want peer review. But that's the point of open source: peer review. Just write secure code, problem solved. 
- 
 I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric. "In conclusion, open source does not pose any significant barriers to secu- 
 rity, but rather reinforces sound security practices by involving many people
 that expose bugs quickly, and offers side-effects that provide customers and the
 community with concrete examples of reusable, secure, and working code."However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure." So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas. 
- 
 The underlying issue is that Microsoft (or any closed source software company) aren't motivated to make their software securely, because it cost a ton of money to do that. And instead of writing secure software, they pay for "peer reviews" saying that nothing can be secure because of other random reasons. . . . 
- 
 @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric. "In conclusion, open source does not pose any significant barriers to secu- 
 rity, but rather reinforces sound security practices by involving many people
 that expose bugs quickly, and offers side-effects that provide customers and the
 community with concrete examples of reusable, secure, and working code."However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure." So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas. LOL - yup, that's what I read  
- 
 @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric. "In conclusion, open source does not pose any significant barriers to secu- 
 rity, but rather reinforces sound security practices by involving many people
 that expose bugs quickly, and offers side-effects that provide customers and the
 community with concrete examples of reusable, secure, and working code."However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure." So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas. LOL - yup, that's what I read  Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic. 
- 
 @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric. "In conclusion, open source does not pose any significant barriers to secu- 
 rity, but rather reinforces sound security practices by involving many people
 that expose bugs quickly, and offers side-effects that provide customers and the
 community with concrete examples of reusable, secure, and working code."However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure." So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas. LOL - yup, that's what I read  Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic. Oh - I was only replying to your post.. not the whole paper 
- 
 @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric. "In conclusion, open source does not pose any significant barriers to secu- 
 rity, but rather reinforces sound security practices by involving many people
 that expose bugs quickly, and offers side-effects that provide customers and the
 community with concrete examples of reusable, secure, and working code."However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure." So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas. LOL - yup, that's what I read  Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic. Oh - I was only replying to your post.. not the whole paper Oh, I read the entire 22 page article. It wasn't all bad, but it was clear that no one with an understanding of the topic was involved because it basically had a tiny amount about the topic, and a huge amount lost talking about unrelated things like social engineering and investment dollars rather than the licensing. But it was suggestive that they spent most of the paper trying to come up with excuses for why closed source was still acceptable even though all evidence and logic pointed to the contrary by trying to show that what matters is something else. And that's true, the source licensing is not the biggest factor... but it's the factor being discussed. They definitely resorted to misdirection to try to downplay a conclusion that they were aware of. 
- 
 @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric. "In conclusion, open source does not pose any significant barriers to secu- 
 rity, but rather reinforces sound security practices by involving many people
 that expose bugs quickly, and offers side-effects that provide customers and the
 community with concrete examples of reusable, secure, and working code."However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure." So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas. LOL - yup, that's what I read  Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic. Oh - I was only replying to your post.. not the whole paper Oh, I read the entire 22 page article. It wasn't all bad, but it was clear that no one with an understanding of the topic was involved because it basically had a tiny amount about the topic, and a huge amount lost talking about unrelated things like social engineering and investment dollars rather than the licensing. But it was suggestive that they spent most of the paper trying to come up with excuses for why closed source was still acceptable even though all evidence and logic pointed to the contrary by trying to show that what matters is something else. And that's true, the source licensing is not the biggest factor... but it's the factor being discussed. They definitely resorted to misdirection to try to downplay a conclusion that they were aware of. What a min - where did licensing come into this conversation? I thought we were talking about security of code open source vs closed source? 
- 
 @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric. "In conclusion, open source does not pose any significant barriers to secu- 
 rity, but rather reinforces sound security practices by involving many people
 that expose bugs quickly, and offers side-effects that provide customers and the
 community with concrete examples of reusable, secure, and working code."However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure." So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas. LOL - yup, that's what I read  Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic. Oh - I was only replying to your post.. not the whole paper Oh, I read the entire 22 page article. It wasn't all bad, but it was clear that no one with an understanding of the topic was involved because it basically had a tiny amount about the topic, and a huge amount lost talking about unrelated things like social engineering and investment dollars rather than the licensing. But it was suggestive that they spent most of the paper trying to come up with excuses for why closed source was still acceptable even though all evidence and logic pointed to the contrary by trying to show that what matters is something else. And that's true, the source licensing is not the biggest factor... but it's the factor being discussed. They definitely resorted to misdirection to try to downplay a conclusion that they were aware of. What a min - where did licensing come into this conversation? I thought we were talking about security of code open source vs closed source? OH - the type of license applied to the source.. nevermind - I get it. But wait - open vs closed isn't the biggest factor for security in code? then what is? 
- 
 @Dashrender said in Is Open Source Really So Much More Secure By Nature: But wait - open vs closed isn't the biggest factor for security in code? then what is? The quality of the code being written. 
- 
 There are SO many factors that go into making code, and all of them play a factor in the security of the final product. Some of the factors that play in... - Skill level of the developers.
- Security mindedness of the organization.
- Priority given to security.
- Security training.
- Code Auditing.
- Licensing
- Market pressure for security.
- Legal penalties for insecurity.
- Passion for project.
- Development environment and ecosystem.
- Tooling
- Project Management
- Deadline Management and Time Pressure
- Type of software being written.
- Ecosystem of libraries and components.
- Architecture and design of software.
- Up to date tools and libraries.
- Value of compromising system.
 
- 
 For example, in one of the articles it was pointed out that Microsoft's culture made it hard for them to retain highly skilled developers and that they relied very heavily on smart, but inexperienced, college grads. This means that they aren't leaning on those that are most competitive (those tend to be hired before college) nor on those that have built up the best reputation (highly experience) as both of those were being poached by other, more competitive firms. So Windows was (and still is, we assume) suffering from having to be made by people with less overall experience and less overall skill than are going to other firms, while having less political clout to push for good things in the environment. The latter is more important than it seems. Very companies make it comfortable for a junior developer to take personal career risks to push for things like performance or security. Those things put their careers in jeopardy and offer little to no potential reward. And as a junior, you lack the reputation to push through an agenda that a PM might not want, and almost certainly lack the confidence to attempt it. MS also lacks being a "sexy" place to work. It's not something you brag about. In fact, in many cases, it's a big embarrassing. Heck, they hired our community's famous drunk that is all but banned from any professional event because he constantly shows up wasted and harasses the speakers and pukes at the event (for real.) This is the bar for being an MS engineer. I'd be ashamed to be associated. Their behaviour in this community is utterly unprofessional as well. Bottom line, coming home from a sweet startup making something amazing is likely to drive a lot more happiness at work than being a grunt working at MS where most people who learn where you work are happy for you that you have a job, but ultimately feel badly for you that you failed to get into a place you were hoping to get and had to settle. 
- 
 @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: But wait - open vs closed isn't the biggest factor for security in code? then what is? The quality of the code being written. yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large. 
- 
 @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: But wait - open vs closed isn't the biggest factor for security in code? then what is? The quality of the code being written. yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large. One could say the same thing about source licensing, though. It's very similar. Open is a means to enhance security, closed is a way to cover up security failings. Just like well written code is a way to make it more secure and buggy or sloppy code is a good way to have vulnerabilities. They both fall under the "should we have to say it" category in the same way, and yet, we do. But certainly, when the question comes to "what's the biggest factor", well code quality really is it. A lone coder, with zero review, no oversight, no budget, closed source... who writes truly breathtakingly perfect code is the best option. Not one that anyone gets to prove is good, but the resulting code will be the best. It's absurd, but it's important to remember that all other factors become moot if the original code is nearly perfect. 
- 
 @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: @Dashrender said in Is Open Source Really So Much More Secure By Nature: But wait - open vs closed isn't the biggest factor for security in code? then what is? The quality of the code being written. yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large. One could say the same thing about source licensing, though. It's very similar. Open is a means to enhance security, closed is a way to cover up security failings. Just like well written code is a way to make it more secure and buggy or sloppy code is a good way to have vulnerabilities. They both fall under the "should we have to say it" category in the same way, and yet, we do. But certainly, when the question comes to "what's the biggest factor", well code quality really is it. A lone coder, with zero review, no oversight, no budget, closed source... who writes truly breathtakingly perfect code is the best option. Not one that anyone gets to prove is good, but the resulting code will be the best. It's absurd, but it's important to remember that all other factors become moot if the original code is nearly perfect. I guess I am currently looking at coding from a profitability POV. Open source seems to be much more difficult to make profitable. I mean I suppose you could use the same licenses MS has today on open source code, but how many people would still simply steal it? 
 This was the argument of music companies... stealing became easier than buying. Only once the buying became easier than ripping did that really change.
- 
 @Dashrender said in Is Open Source Really So Much More Secure By Nature: Open source seems to be much more difficult to make profitable Of course it is. @scottalanmiller said as much about his own company. @scottalanmiller said in Is Open Source Really So Much More Secure By Nature: The benefits of close source (and you can trust me, I run a closed source software firm) are 100% to the vendor keeping their technology out of their competitors hands. Closed source often makes it easier to make money on software where customers are unlikely to pay for support. That's it. That's the only benefit (but it's a big one), but the benefit exists only to the company selling access to the code. From the customers' perspective, every closed source product would be equal or better if opened. 
- 
 @Dashrender said in Is Open Source Really So Much More Secure By Nature: I guess I am currently looking at coding from a profitability POV. Open source seems to be much more difficult to make profitable. This is generally the case and I made a video explaining that last night that is in the process of being edited. Should be up in a week or two. But that's unrelated to the discussion. True, essentially fact, but not a factor. 
- 
 @Dashrender said in Is Open Source Really So Much More Secure By Nature: mean I suppose you could use the same licenses MS has today on open source code, but how many people would still simply steal it? Like they do with the closed source already? 




