I think the point no one seems to ever mention though is that windows gets more attention by more people trying to brake it then any thing else. So more problems are found.

Also, with “common” solutions, closed or not, there is the problem that once a problem is found, a script writen to exploit it, then any monkey can use that. They don’t even have to know how the exploit works.

The more people useing some thing, the more likely some one is to try it on. I don’t think the problems are in the OS, or the main parts such as PHP, or MySQL. Its normaly in the PHP code (or simular) that somes writen, then some one else has used. If you don’t understand it at all, how can you be secure? The problem for me is that there are lots of unskilled people downloading “free” software then assuming its all good, no ones got any come back, and half the time its writen by some one in a back room. Not always bad, but some times it is. No design, no formal testing…. but its free, so who can complain?

Don’t get me wrong though, I use a lot of Open source stuff, PHP etc. But I don’t download other peoples code. I write my own. I like to think its more secure, but even if its not. At least it wont get taken by a script some one wrote to generaly exploit sites.

A lot of it is to do with perception, and well the LAMP stack for example has been examined by many thousands more people than the core of Microsofts OS could have ever been looked at.

Which would account for higher security, less flaws in the code in general and more transparency, which in turn passes less risk on to us.

But yeah, homebrew projects can be terrible for security, and not all open source is good…look at sendmails record! Bring on Exim

open source has the potential to have a lower risk of exploitability…

i think we can all agree that the more people looking at the code, the less chance of those people missing something that could be exploited in a malicious way… that’s no guarantee that they won’t, but it is a higher assurance level…

further, the more popular the open source app, the more people there will be (both good and bad) with motivation enough to examine the code… a really popular open source program, therefore, may receive much more examination than is reasonable or possible for it’s closed source alternatives (for example, it’s quite likely that linux’s code has been examined, at least in part, by far more people than have examined windows’ code)… and for this reason i think the idea suggested of using open source apps no one has heard of before for the sake of security is actually a bad security measure as it tries to get security out of obscurity and gives up the risk managing benefits that open source provides…

on the other hand, the larger the code base, the greater the chance of missing something because it’s more difficult to examine all of the code and model it’s security…

of course, the importance of keeping the software up to date is something that transcends the division between open and closed source… making the code secure is an on-going, never-ending process regardless of how open things are… users definitely need to be made aware of the need to keep all their software up to date…

But we can see that., in OPEN SOURCE the code is viewed by many ppl. and hence LESS THE CHANCES for an insecure code., I said only less the chance., it does not necessarily mean that it is secure., chances are that all the ppl. who looked the code might have overlooked something.

But in CLOSED SOURCE., code is seen by a few ppl., so relatively much more risky…,

Of course there are plenty home-brew projects that still have lousy code. (/me looks in his home-CVS repository.)

At some point, an open-source project will get enough focus, become popular and the source-code cleaned-up.

Independant study? Somehow I don’t see Microsoft lending out there source-code to an ‘independant’ researcher — rather see them making an independant researcher, well, depend…

Fact is, you do not know what goes on in a closed-box whereas you can know what happens in an open one.

Proprietary systems rely on the fact other people never look inside it, simply because it’s written crappy.

Open-source can be read by anyone. This automatically results in cleaner code — as some form of ’social control’ — because you know some other guy is going to complain if you don’t.

The question shouldn’t be whether open-source is more secure than closed — but rather which one can you (unconditionally) trust?

just take a look at microsoft windows. no source but still a lot of bugs and vulnerability discovered.