16
Security in Open vs. Closed Systems – Ross Anderson, 2002
zIt cuts both ways!
yWhen a researcher publishes a new abstract vulnerability, an attacker can devise a concrete attack much more easily if source is available
yHowever, time-to-market for a defense may be shorter for OSS
yBut OSS makes it possible to identify new code, which is where the bug density will be highest
yBut each individual tester has preferences, so there is something to “many eyeballs” at least in terms of variation in focus