Openness and security go hand in hand

I just saw the post on Mashable about Microsoft downplaying the IE security hole. The one quote that caught my attention was from Microsoft’s UK security chief Cliff Evans. He said:

“The net effect of switching [from IE] is that you will end up on less secure browser,” and that “the risk [over this specific] exploit is minimal compared to Firefox or other competing browsers… you will be opening yourself up to security issues.”

He’s got to be kidding, right?

A key difference between IE and the open source browsers is what happens when a problem is found. If it’s IE we sit around and wait for Microsoft to fix it. On the other hand, if someone finds a bug in Firefox, hundreds of developers jump on it and race each other to get it fixed. Of course there are vulnerabilities in Firefox and there are bugs in Chrome – that’s just the reality of developing software. The important thing is that security issues get found and resolved much faster in an open-source environment.

I’m a firm believer that openness leads to greater security. This is a big reason why Unix is more secure than Windows. I’m not suggesting that Microsoft doesn’t have smart developers, because they do. They just don’t have the benefit of having constructive code reviews from thousands of smart developers who care so much about what they’re building that they’re willing to do it for free. It’s tough to compete with a group of people who are working out of passion instead of for a paycheck.

Openness leads to security, which leads to trust. If we ever implement online voting in America, the only way to do it would be to open-source the whole thing. Unless it was open-sourced, no one would trust the results. I’m not saying that everything in the world needs to be open-sourced. That’s not realistic. But when it comes to security, openness is crucial. It’s no accident that the encryption algorithms we use to transfer credit card numbers over the web are all open-source. That openness gives us the confidence because we know these algorithms have been tested by hackers all around the world. They’ve gone through the fire and somehow still came out standing.

If you ever need to make sure something is 100% secure, the first-step is to open-source it.