No BS: Which Software Licensing Model Leads to the Most Secure Software?

We’ve all read the comments and seen the posts.  “Open Source software isn’t secure.”  While that may be true, I’d like to revise that statement by removing two words:

“Software isn’t secure.”

The licensing model of a piece of software will have almost no effect on the quality of that software in the early stages.  The reality of the situation is that the quality of the developers will have the greatest effect on the quality of the software.  It’s no different that building a house or playing Beethoven’s 5th symphony.  The better the crew, the better the result.

So what about after the initial stages of development?  Assuming that the product never takes off then open source software will generally be better.  The open source application will (generally) at least be used by the people who originally developed it for themselves, and so will receive some attention.  Commercial products without followings won’t be likely to be supported due to low profitability.

Well, what if the software turns out to be wildly popular?  Then which model is going to be more secure?  The answer here is “neither”.  One of open source’s advantages is also a weaknesses: The ability for anyone to view the code and alert the community to problems also allows hackers to find the problems and exploit them.  Open source allows for what some call the “many eyes” principal, meaning that having so many people looking at it will ensure that someone will notice the problem.  This can also be untrue since frequently people will just assume someone else is looking.  Wildly successful open source projects may also draw in more developers, which can be positive or negative depending on the skill level of those developers.

The closed source camps have other problems.  First, they will have a finite number of developers who will ever see the source code.  If those developers aren’t good, the code will never be good.  If the developers are good they may be put under time constraints which require reduction in testing and quality by marketing and sales departments.  While the hackers can’t view the source code, they certainly can and do find exploits.  When exploits are found you absolutely have to wait for the software company to fix the problems itself.

So, which software licensing model is more secure?  The answer is that your licensing model has a negligable effect on the quality of your software.  The skill of the developers and the culture of the group involved in the project are what matters.