More FOSS security scare-mongering

With all the talk of open source and the Obama administration, it shouldn't come as any surprise that the scare-mongering around FOSS security is going to be close behind -- and here's part of the first wave, fresh from Ernest M. Park.

Park is using a single data point (the Debian SSL issue from last Spring) to try to build uncertainty around the readiness of FOSS for government work, even though he admits proprietary software may be no more secure than FOSS. Here's what Park has to say:

Now one of the arguments for open source is that their are more eyes looking over the code, since the code is openly available to be reviewed and changed by the community. This is true and one of the reasons that this bug was discovered. The open source system of discovering bugs is beneficial in that the number of people reviewing the code is far greater than proprietary software. But as the Debian OpenSSL case shows us, it might take up to two years before it is discovered or at least published. Within the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time. The problem with community review is that it is a voluntary choice and not an obligation.

The problem with Park's argument is this: Access to code is not necessary for discovery of vulnerabilities. Plenty of security holes are discovered in proprietary products without the results being published. Plenty of security holes have existed in proprietary products and been exploited long before the fix was available.

If Park wants to raise concerns about software security, he might start by asking if Microsoft is ready for government work.