Well with open source you can actually verify the security
depending on how diligent you wish to be, with closed source you must rely
on the vendors due diligence. Open source can be patched by you in case of
critical emergencies ( I have had experience with this option so it is
a reality ) and even if you are not skilled enough to fix it
yourself it is likely someone else in the open source community will be
and will post the patch publicly, close source in most cases your only
choice is to wait on the vendor and hope their priority is to fix that
issue.
I also find that you can tell a great deal about the people who
developed a product by examining their source code, when we interview
people at my company we ask for code samples and it is a strong component
in the decision to hire someone or at least points out potential
issues/weaknesses. I think the same principle definitely applies to
software, good coding practices and secure software go hand in hand,
although I am not saying sloppy code is always insecure, or that good neat
code is always secure, it can be indicative though.
Curious myself, can you explain the "myriad of options", I am not
saying they do not exist, but it would be more helpful to be explicit, I
would prefer not to just take your word on it :{) .
Take care
On Wed, 9 Jan 2002, Andrew Blevins wrote:
> Why is it automatically easier to harden an open source product? Also, there
> are a myriad of options to hardening an IIS box than just patches.
>
> -Curious
