I cannot agree with this bit, Thantos. Well, I don't agree if you mean they can be equally successful in finding and using an exploit.Originally Posted by Thantos
The problem with commercial software is that it reaches the public attention solely based on marketing forces. Open Source (with a few notable exceptions) instead reaches the mainstream through plain usage. Because of this commercial software is usually subject to much less development cycles than open source, which limits its code quality (arguable I know. But here I mean only from a security perspective).
Taking a stroll through any security reporting (to name them nicely) website reveals not only more interest in commercial software, but also more density of reported security holes in commercial software. It seems it just loses on all fronts. This I attribute mostly to the fact any software worth being investigated for security holes by a cracker, security expert or power user, must have reached some public attention already. On the case of open source this means a lot more code and a lot more brain matter contributed to the current software status. Whereas closed source software mostly reached the attention of these folks through marketing strategies and enjoyed much less time in the drawing board and with a much smaller development team.
There's also, in my opinion, another factor I'm going to name the Quality Assurance Testing factor (or QAT because I'm feeling godly). And this is basically to do with the fact pay-to-use software follows the same rules as traditional commercial products where we constantly strive to test, compare, and judge what we are being sold. Open Source software, while not being entirely different in such a competitive market as that of software development, is yet less prone to this QAT. I think because it sells well a general feeling of security by virtue of its open source nature and open and (usually) wide community support.
