If the audits are public and they are actually funded with proper scope that may very well be better than some very small project nobody can be bothered looking at. I’m not saying having source is a bad thing, quite the opposite. Privacy is generally gained through security controls, and just because something is open source doesn’t mean it is secure, likewise if something is closed source that doesn’t necessarily mean it is insecure as this post describes.
My issue with closed source is we don’t know if it is insecure or secure because nobody can find out. It’s a pandora’s box of privacy and security. It may be the most private and secure code known to man or it may be sending anything and everything about you somewhere but we’ll never really know. As for public audits who picks who gets to audit the code ? The company who made it ? You can do as you please but I refuse to trust closed source code. I’m not saying all open source code is good but at least we can find out if it’s good or not through independant means rather than trusting people that the company who made it picks to tell us.
If the audits are public and they are actually funded with proper scope that may very well be better than some very small project nobody can be bothered looking at. I’m not saying having source is a bad thing, quite the opposite. Privacy is generally gained through security controls, and just because something is open source doesn’t mean it is secure, likewise if something is closed source that doesn’t necessarily mean it is insecure as this post describes.
My issue with closed source is we don’t know if it is insecure or secure because nobody can find out. It’s a pandora’s box of privacy and security. It may be the most private and secure code known to man or it may be sending anything and everything about you somewhere but we’ll never really know. As for public audits who picks who gets to audit the code ? The company who made it ? You can do as you please but I refuse to trust closed source code. I’m not saying all open source code is good but at least we can find out if it’s good or not through independant means rather than trusting people that the company who made it picks to tell us.
@PublicLewdness @dngray
The concept of security by obscurity in general is just absurd. It’s maddening that this is the preferred option in Enterprise.