Yesterday, Fazal Majid reacted to my post on Whit Diffie's talk by saying:
I don't really buy this argument [that more eyes looking at code make it more secure] - unlike ordinary bugs, security reviews like the ones done by the OpenBSD team require a strong commitment and extended effort. They are not likely to arise from casual source reading.
Fazil, of course, is right. Finding bugs in general, and security issues in particular, requires a purposeful, planned, carefully executed review. This morning, almost in response to this issue, Mary Ann Davison from Oracle is discussing open source software evaluations. Specifically, Oracle is going to conducting (i.e. paying for) an EAL2 certification of RedHat's Linux Advanced Server product for use with Oracle DB. She makes the point that Oracle evaluates products all the time and when they do that, third party teams look at their source code.
On the other hand, I think that the argument restated by Whit yesterday (although not necessarily espoused) is a little more subtle than what its simple retelling in a talk (or blog) can convey. Its not so much that random eyes looking at code will make it more secure. The issue comes down to a basic philosophy of openness and its inherent goodness. As anyone who's read The Transparent Society by Daniel Brin knows, making this argument is much more involved than a simple sentence.
Having recognized softare openness as inherently good, I don't want to be misunderstood. I do not believe that this makes companies who close their source code inherently evil. I would, rather, view them as not having yet recognized the benefits of an alternate strategy.