Originally Posted by
ScottC
At first Symantec tried to brush it off, but yesterday they changed their tone. To me, losing your source code as a security company is probably one of the worst things you could ever do.
I
strongly disagree.
There's nothing inherently insecure about source code being publicly available.
The problem is that attackers now have visibility into the poor coding skills ofSymantec and are now able to craft new attacks. Had the source code been available all along, things like this wouldn't really be an issue. Symantec is probably aware of existing vulnerabilities that they didn't take the time to fix, but now might be obvious to a skilled coder. Bad, bad, bad.
Plenty of security software is open source, and available for all to see. See: SSH, OpenSSL, and GPG. OpenSSL powers many many many many web sites (e.g., Google, Amazon, and others). It's what encrypts your credit card data for these sites, and it's source code is available to everyone.
The Linux OS is available open source, and when critical vulnerabilities are found, they are fixed...in minutes or hours, not weeks or months like it takes Microsoft and Apple. Or I guess not at all by Symantec.