In his article â€œOpen vs. Closedâ€, which appears in Open Source Security, Ford concludes that cybersecurity cannot be measured. He argues that there are two possible ways to measure the security of a system:
â€¢What are the chances that the confidentiality, integrity and availability of information of a system will be compromised?
â€¢How many vulnerabilities are there in a product?
Ford says there is no way to quantify either measure. â€œMeasuring security will mean different things to different people,â€ he writes. (Citation comes by way of John Scott, director of open integrations for RadiantBlue Technologies in Reston, Va., and author of the powdermonkey blog.)
More surprisingly, Ford comes to the same conclusion regarding open-source systems (for which the source code is public) and closed-source systems (in which the source code is kept secret). â€œThe cases where one is clearly better than the other are few and far between,â€ Ford says.
True, open-source applications benefit from Linusâ€™s Law (which states that given a large enough co-developer base, almost every bug will be found quickly and the fix provided by someone), but closed source â€œmakes it expensive for anyone other than the developer to find those bugs.â€ Some applications benefit from full disclosure of their inner workings, some donâ€™t.
Just another reason to lose sleep. Let us know about your cybersecurity concerns.