I support free and open source software (FOSS) like VLC, Qbittorrent, Libre Office, Gimp…
But why do people say that it’s as secure or more secure than closed source software? From what I understand, closed source software don’t disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on Github or Gitlab.
Isn’t that actually also helping hackers?
One thing people tend to overlook is: Development costs money. Fixing bugs and exploits costs money.
In a closed source application none will see that your software is still working with arcane concepts that weren’t even state-of-the-art when written 25 years ago. The bug that could easily be used as an exploit? Sure, the developer responsible for it did inform his manager around 50 times he needs time and someone from the database team to fix it. And got turned down 50 times as it costs time and “we have to keep deadlines! And none noticed this bug so far,so why should now notice now?”
Lots of open source software uses arcane concepts because lots of it is old. See Xorg as a prime example. That was outdated 20 years ago already.
Closes source software gets exploited and hacked all the time. They take security seriously as well.
Look at OpenSSL and the heartbleed and similar high profile security failures for how even using high profile open source software is not automatically more secure.
You didn’t get my point: On Open Source people know. People know that Xorg is using arcane concepts and as a client you can pay someone to get through the code. Or a governmental institution can. (And yes, mine does with public reports)
This is not the case with closed sources. You will only know when someone has exploited it. And while closed source applications like Windows,Office,etc. are having enough public weight that a lot of people with good intentions see them as a “challenge” and test for exploits. This is already not the case for smaller,but often critical applications. And no,most commercial closed source applications don’t give a fuck about security - even in critical infrastructure. I worked as a PM for these applications in the past and my company now consults for critical infrastructure. The status of security in niche applications is abhorrent. The longest running major exploit I stumbled upon was 22 years old. And left around 65% of all water treatment plants of a smaller nation at risk. (It’s fixed now. Not because they wanted to, but because someone forced them to)