The public was with me in my argument that, but the judge rules against me. Eh, I'm not hurt. More than readers agree with me, almost all of technology agrees with me.
You see, while Heartbleed was Alexa's top ten Websites in the world, rely on open-source software every day of the year., it was an exceptional case. Outside of Apple and Microsoft, everyone, and I mean pretty much everyone, has already decided that open source is how they'll develop and secure their software. Google, Facebook, Yahoo, Wikipedia, Twitter, Amazon, you know all of
They do it because Eric S. Raymond was right when he wrote in the essay that got open source started, "The Cathedral and the Bazaar," that "Given enough eyeballs, all bugs are shallow."
The problem withwas that no one—no, —looked at the code. The failure wasn't with the open-source method, it was that no one bothered to apply it to OpenSSL.
The proof that open source, properly applied, is secure is available. Studies, such as the one recently done by Coverity, have found that. And, it's hard to ignore the Communications-Electronics Security Group (CESG), the group within the UK Government Communications Headquarters (GCHQ) that assesses operating systems and software for security issues, when they said that that while no end-user operating system is as secure as they'd like it to be, .
On the other hand, the mere existence of Microsoft's monthly Patch Tuesday says everything most of us need to know about how "secure" proprietary software is. I also can't help noticing how every time Microsoft releases a new version of Internet Explorer (IE), they always claim it's the most secure ever. And, then, a new hole is found, and guess what, that. If IE really were being rewritten to make it secure why are the same holes showing up In Every Version??
My worthy adversary thinks that. Given Adobe, Apple, and Microsoft's security track-record has a month gone by in years without major security holes popping up for the major proprietary software companies? I don't see how traditional management has helped them any.
That's not to understate the Heartbleed problem. It was disaster. It happened because OpenSSL was underfunded. There simply weren't enough people on the job to do the job, and everyone just assumed that because the code was open source it was somehow magically immune to errors. That's pure foolishness and we paid the price for it by over half of the world's websites being vulnerable to Heartbleed. We won't make that mistake again.
Let's say that OpenSSL, like IE, is fatally flawed. I don't believe it, but say it is. So what? In the open-source world someone just forks the code and comes up with a better version. That's exactly what. With open-source software you're not locked into one company's "secure" solution. If someone doesn't deliver the security goods you want, someone else can, and will usually, come up with a better program.
Put it all together and the facts show that, when done right, open source is the best way not just to develop software but to create secure software. It's only in those corner cases, like OpenSSL with Heartbleed, where a program is both popular and under-funded, that there exists the real possibility of a major security problem.
Just like death and taxes we'll always have security problems. But, as the record already shows, on average open-source programming is the best way to prevent security troubles.