Slashdot Mirror
Mitnick on OSS
comforteagle writes "Infamous cracker Kevin Mitnick (turned security consultant) has come out to say that he'd prefer to 'hack' open source code vs proprietary closed code. "Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called 'fuzzing'." He further says that open source is more secure, but leaves you wondering questions if enough people are really interested in securing open source code."
Get real... Apache's an appealing target. Which web server has more exploits for it? IIS.
You sure about that?
IIS6: 2 vulnerabilities since 2004 Apache2: 30 vulnerabilities since 2002
Seems possible that the correlation between open source and security is not as close as the correlation between good development practices and security. Windows (and IIS) was for a long time plagued with bad development practices; many open source projects have the same problems (even popular ones, like PHP). That, more than open/closed source, seems to be the deciding factor.