“More eyeballs == Secure code”: But is it just a theory or happens in practice?

To address the title: It does not happen in practice, and the idea that &quot;simply because code is open-source and viewable, it is more secure&quot; needs to die. It is an open-source fantasy, like Linux on the Desktop.<p>Code becomes secure when you train your developers, when specialists audit your code, and when you consciously choose safe libraries and frameworks to build upon. Tasks like these all cost time and money and organizations that spend on security are ones with &quot;skin in the game&quot; who can afford to pay for it.

More eyeballs actually may mean secure code, but only if those eyeballs know what secure code is and if those eyeballs can be bothered to check out the source code.<p>Security software cannot be trusted really unless it is open source and people that know what they are doing look it over. Then you build it yourself on your own system and checkpoint every change you merge in.<p>Almost nobody does this. So you end up with openssl&#x27;s heartbleed and other problems due to plain insecure coding in combination with actual protocol weaknesses.<p>It&#x27;s hard to write secure software and algorithms. The guys writing GUI code care more about performance than security. If your UI is running as root, it is not secure.

&gt; Moral of the story is: &quot;Make security audits a part of the development process itself, not an afterthought.&quot;<p>Then maybe you should start auditing the code yourself instead of just telling others what to do (with their free time)?

&quot;More eyeballs == Secure code&quot; is a massive simplification to get a tweet&#x2F;soundbite, and a terrible one because it makes implicit so much about what this actually means.<p>&quot;More eyeballs&quot; is meant to be in contrast to proprietary code, which is assumed to have a limited number of eye balls looking at it.<p>As for &quot;secure code&quot;, there is no such thing as 100% secure, just as there&#x27;s no such thing as 100% bug free.<p>It&#x27;s all about mitigation and potential. There are various kinds of mitigation, of various levels of strength, appropriateness, and utility.<p>Mitigation of security issues and bugs when it comes to proprietary, closed code is accomplished by actively paying experienced programmers, quality assurance, and security professionals to write, test, and review the code. This is, however, expensive. Which partly explains why some proprietary, closed code has a bad reputation (not the least of which is that, without access to the code, you can&#x27;t verify the (marketing) claims made by the vendor).<p>For open source software, the code is <i>accessible</i> and <i>available</i> to be reviewed by <i>able&#x2F;experienced</i> people. More eyeballs <i>can be</i> on it. This statement should not imply that more, experienced eyeballs actually are on it (but it often is used as such), nor should imply that lay users are expected to uncover and fix security issues&#x2F;bugs. There&#x27;s a lot of code on github and sourceforge that no one has ever looked at other than the author, but it&#x27;s there able to be looked at (and it <i>might be</i> safe to assume that code on github gets a modicum more attention on average than code on sourceforge, ahem). It doesn&#x27;t imply it in the same way that &quot;proprietary&quot; doesn&#x27;t imply that it is actually written, tested, or audited by (paid) professionals either.<p>I think this statement is a bastardization of two other, statements:<p>- &quot;System security should not depend on the secrecy of the implementation or its components&quot;, aka, &quot;security through obscurity&quot; [0]<p>- &quot;given enough eyeballs, all bugs are shallow&quot;, aka Linus&#x27;s Law [1]<p>&quot;More eyeballs == secure code&quot; (and Linus&#x27;s Law) is a statement similar to the Infinite Monkey Theorem[2], and has the same caveats, not the least of which is requiring infinite time and monkeys (or in the case of LL, infinite eyeballs). That doesn&#x27;t necessarily make it less true, but it does make it less pragmatic. So it&#x27;s more theory than happens in practice, but it sounds good, <i>seems</i> intuitive, and has been used as a way to encourage&#x2F;brow-beat proprietary vendors to open source their code (I&#x27;m not sure that this has actually worked for anyone, however, because people don&#x27;t want to use code that has a bad reputation, which actually discourages eyeballs from examining it). Of course, then you get things like phpBB which is open source and notoriously for bad security, which we could say we know because of so many eyeballs using it (if not looking at it). Despite that reputation, it&#x27;s available and gets used anyway. If this reputation actively discouraged people from using phpBB, then more eyeballs, in the form of users being exposed to insecurity, might yield greater security by people actively avoiding the known, traditionally problematic software in favor of something with a better track record. It is unfortunate that in the case of phpBB, its ubiquity and ease of use trumps that reputation.<p>Presumably you could combine them both and hire experienced developers, testers, and security professionals to (continuously) audit open source code. This would arguably be better than solely either proprietary code being audited or the code being open source.<p>There are no silver bullets. You can (attempt to) throw a massive number of eyeballs at the problem, and&#x2F;or a massive amount of money for the very best eyeballs, but neither guarantees absolute 100% security. And any claims otherwise should be suspect.<p>[0] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Security_through_obscurity" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Security_through_obscurity</a><p>[1] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Linus%27s_Law" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Linus%27s_Law</a><p>[2] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Infinite_monkey_theorem" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Infinite_monkey_theorem</a>