[bnb]

IIRC the GitHub Open Source Survey noted that the people surveyed were more likely to trust OSS software in terms of security because of the transparency with vulnerabilities and the community surrounding it.

This article mentions increased use of OSS libs as a rising source of XSS. I'm really not sure what's worse - OSS that can be fixed and audited easily or proprietary software that's closed and lacking visibility.

[hdhzy]

OSS is no silver bullet - you still have to do your due diligence to have secure system. OSS just gives you an option to "fix it yourself".

Just recently I was reading a library and stumbled upon this interesting crypto tidbit [0] ("XXX get some random bytes instead"). Maybe a paid engineer would've designed it better but history is full of counter-examples (see CVE-2017-5689 [1]).

[0]: https://github.com/nitram509/macaroons.js/blob/master/src/ma...

[1]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5689

[sbarre]

> OSS just gives you an option to "fix it yourself".

I would also say that generally speaking you also get more eyes on your source code so you increase the likelihood that someone will find the flaw more quickly (although you could also say it's easier for bad actors to locate flaws to exploit too).

[raesene9]

I don't think that the many eyes make all bugs shallow style of approach is one people should be relying on for their security. Ever since shellshock (which was present in a very popular open source program for 25 years (1989 -> 2014)) there has been more effort applied to open source libs (e.g. the Internet bug bounty programme) but that's still a vanishingly small percentage of libraries that are being covered.

What I'd say is that given an equal amount of security effort an open source lib is more likely to have higher security, however by far and away the most important factor here is the amount of security effort employed and that is not generally correlated with the software being open source.

[hdhzy]

Well we are comparing apples and oranges here because this small open source repo most certainly have less people looking at it than Intel have engineers working on ME.

[bnb]

Who said this is a small open-source repo? Node.js has one of the most active OSS communities on the web, with many contributors and developers looking at the code, consuming and working on security and fixing bug reports daily.

Also, a single company provides limitations - you've got blinders on, and your project isn't open for those with a different perspective to come in and take a look and notice something. I honestly think that fresh, open, and global perspective is truly key the success of OSS.

[raesene9]

Large communities of open source developers are no panacea, look at shellshock or all the various OpenSSL libs. Those bugs stayed present for years in highly used software...

A large community of devs who are focused on security would indeed be good for a projects security, but that's not always their number one priority.

[hdhzy]

Yes, my point is that we're just throwing anecdotes here, picking examples that suit the augment. It's not proven than one model is better than the other, otherwise we'd all just use the best one and that's all.

> your project isn't open for those with a different perspective to come in and take a look and notice something.

Yes, but consider the fact that a malicious party can also do this kind of analysis. For the record I'm not advocating for closed software, on the contrary, but merely pointing that the matter is more complex than it looks like on the surface.

[raesene9]

What a closed source development team provides over OSS is some control over the quality and training of the developers allowed to commit to the codebase (e.g. the company can mandate that all developers have had training in how to avoid common XSS issues), control over the processes to be followed when commiting code, and control over the security tests to be carried out.

Of course as a consumer of software that doesn't help too much 'cause you don't know which companies do a good job and which ones just say they do a good job...

Open source is better in that you can audit it easily. However lets be honest, how many users of open source software actually are able to audit the libraries they use...

So neither option is particularly great at the moment(IMO)