
Ask HN: Is open source security effective? - NTroy
As of late, I&#x27;ve found my self in the middle of quite a few debates on open source network&#x2F;system security. Specifically, I&#x27;ve had to defend a number of projects who only use open source tools, and post details of their infrastructure online (such as firewall rules), for others to criticize and comment on.<p>In my opinion, there is no problem with this, as the groups I&#x27;ve defended only expose well-known, battle tested, security audited, and heavily supported dependencies&#x2F;services, such as Django and OpenSSH. They also have very simple firewall rules and configurations which block out all other ports. To me, this seems practical and removes much (although obviously not all) of the risk from their hands.<p>However, I also see the other side, and understand that this could be risky for smaller projects that don&#x27;t have many people reviewing their code. This also, unlike a proprietary solution, exposes technical data about security to a potential attacker, which is a risk... although I&#x27;ve also heard people argue that it doesn&#x27;t actually make any practical difference.<p>Here&#x27;s a simple, but good article on Wikipedia that covers some points on each side. This article is more about software... but many of the arguments still apply or translate: https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Open-source_software_security<p>The point is, I&#x27;ve already had my debates about this, and now I would like to hear from everyone else. What do you think? Do you think that &quot;security through community&quot; is a good idea? Is it the way of the future? Or is it the beginning to the end for any company that takes this approach? Are there some approaches that are good, and others that are bad?
======
corwin7
I think you have to trust your security software, and if it's not open source,
you can't trust it.

~~~
NTroy
Yes, I completely agree with you! I think being able to read through the
actual code of the software you use, in order to fully understand it, what it
does, and how it works is a priceless tool. On top of that, most open source
tools also provide live examples of implementations, which can be extremely
helpful.

However, what do you say to those who will argue that it's actually the other
way around? They'll say that private companies have full developments teams
paid and dedicated towards maintaining the security of their products...
meaning that more work and research gets done, making them more secure, and
trustworthy in the end. Or those who say that open sourcing the code makes it
easier to find vulnerabilities?

