"Is Open-Source software more secure than Closed-Source software?"

Of all the questions I get asked on a regular basis on web application security - perhaps this is one of the toughest.  The answer, quite simply, is no.  There are arguments that can be made for as well as against the security of either - but I think it's most prudent to lay out the Pros/Cons of each approach so that it's possible to look at the case for each more objectively.

 The Positives

• Open-Source: A case can be made that with open-source software (OSS) there is complete transparency, or at least the appearence of such.  The software's code is freely available, and one can modify it as he or she so chooses.  In theory, vulnerabilties of the intentional variety would be more difficult to hide in this scenario (albeit not impossible, obviously).   With complete transparency comes the natural ability for many, many people (including security-conscious folks) to put eyeballs on the code and find and disclose bugs more readily.  In this case the good guys get an even crack at defects.
• Closed-Source: With closed source, the source code is unavailable, thus the security by obscurity model falls in place.  Also, closed-source is typically for-profit software which is given a great deal of scrutiny to be more secure as security defects can have a devastating effect on the application itself.  Security defects in closed-source often go un-noticed for long periods of time, and some are never discovered.  With the lack of source code, finding security defects in closed-source software requires extreme amounts of negative testing, using techniques such as fuzzing.  Without direct knowledge of the code the process of writing [effective] exploits is often trial-and-error

• Open-Source: Since open-source is more transparent, security defects are found more rapidly - often by the bad guys.  Also, open-source software is often built by many different people, and more often than not - on a shoestring budget.  The low-budget (free software doesn't generate a lot of revenue) aspect, it can be argued, prevents the developer from having the proper resources at his or her disposal to produce less defective code.  Also, because OSS is often a collaborative effort, it's relatively easy to make mistakes in the way the different pieces interact with each other, which can lead to security defects.  Open-Source Software quite simply doesn't typically have the monetary backing to produce good quality, more-secure code.
• Closed-Source: Since closed-source software doesn't make the source code available, and it's typically illegal to reverse engineer the code - it becomes up to the developer to produce verifiably secure code.  This also puts the good guys at a distinct disadvantage, because while the hackers care naught for the DMCA and otherlaws, the white hats have to follow the rules.  Not getting a chance to pour over the code makes it difficult to find or expose critical security defects, until it's often way too late.  Closed-source software also suffers from the arrogance problem - it goes something like this: "We're a big professional software developer, not some open-source fly-by-night group, our code is by far superior because we have money and highly-paid developers.  Trust us, and don't reverse-engineer our code or we'll have you arrested and charged".  This truly becomes a problem for researchers and penetration testers trying to do good, legitimate work.

So, what's the verdict?  Each has their merits and problems, much like the debate over MS Windows vs. Linux... the answer to which is this: "Each, in the hands of a poorly trained chimp, can be exploited rather quickly".  So should you be making the switch to OSS (Open-Source Software) and abandoning closed-source?  Probably not - but on that same token, don't discount one or the other without fully understanding the ramifications of each.

 Merry Christmas, Happy Holidays...