Originally Posted by
berlinflyer83
I strongly disagree.
There's nothing inherently insecure about source code being publicly available.
The problem is that attackers now have visibility into the poor coding skills ofSymantec and are now able to craft new attacks. Had the source code been available all along, things like this wouldn't really be an issue. Symantec is probably aware of existing vulnerabilities that they didn't take the time to fix, but now might be obvious to a skilled coder. Bad, bad, bad.
Plenty of security software is open source, and available for all to see. See: SSH, OpenSSL, and GPG. OpenSSL powers many many many many web sites (e.g., Google, Amazon, and others). It's what encrypts your credit card data for these sites, and it's source code is available to everyone.
The Linux OS is available open source, and when critical vulnerabilities are found, they are fixed...in minutes or hours, not weeks or months like it takes Microsoft and Apple. Or I guess not at all by Symantec.
When a program is open source, then of course you are right. But when a program is not open source, companies do (as you point out) have fewer incentives to deal with bad code and vulnerabilities so they let things slide.
The open source community would fix things in hours sometimes versus years at non OS organizations.
The problem is that Symantec lost control of its source code in 2006, didn't tell anyone, didn't address the vulnerabilities, and now has egg on its face (to put it mildly).