Open Source: Is it inherently more secure than proprietary software?

After a series of entries about security threats from employees, I’d like to turn to something completely different:  security issues relating to open source software. 

For those of you unfamiliar with open source software, it is basically software made available and developed through the “non-proprietary” efforts of potentially many unrelated programmers.  The idea behind open source is the exact opposite of proprietary software.  With open source software, the goal is to make available software that can be freely distributed and modified.  This means making the source code of the software, something that is ordinarily strictly protected with proprietary applications, readily available to all licensees.  Open source software is generally developed by the combined efforts of any number of unrelated programmers, frequently distributed around the world (e.g., Linux, applications from the Apache Software Foundation, etc.). 

Proprietary software, on the other hand, is generally developed by a single company, with the source code being strictly protected. One of the most significant distinctions between the two types of software is that open source is generally provided completely as-is, with no contractual protections whatsoever.  Licensors of proprietary software, in contrast, generally provide at least basic warranties, indemnities, and other contractual protections.

Many people argue open source software is inherently more secure than proprietary software.  This is because the source code for open source software is readily available and, if the application is popular, will be reviewed by many different people.  This is the “many eyes” theory of security, which has been used very successfully in the area of encryption for many years.  Whenever a new encryption algorithm is proposed, its specifics are frequently publicly disclosed with the express intent that many people will carefully scrutinize the algorithm for potential flaws.  This generally leads to far more secure encryption algorithms than those that are not publicly vetted.  The same thinking is applied to open source software:  if the source code is made available for public review, it should be more secure than proprietary software because more people (i.e., not just the original developers who may suffer from a severe case of myopia) will review the code for potential security risks. 

The million dollar question is whether the “many eyes” theory actually works for open source software.  Is open source more secure than proprietary software?  There are arguments on both sides of the question.  Some insist all open source is inherently secure because the source code is available for review.  Others focus not on whether the source code is available for review, but whether it is, in fact, actually reviewed.  The “many eyes” theory only works if you actually have “many eyes” looking at the programming.