The major drawback of relying exclusively on open source projects (and I admit to doing the same at my workplace) is that they are considered "secure and tested" by default. Of course there are projects (e.g., Linux, AES, etc.) that undergo a high level of testing before being released as a new version, but we usually forget that these projects rely on other projects that in turn rely on other projects, and so on. Therefore, the status of individual tests should be checked before any upgrade or installation, running more tests internally (where possible) to ensure a lower level of possible attacks on the supply chain.

Open source eco systems have their problems but it's always going to have more eyes than closed systems. There is a problem of a lot of people using open source but not contributing.

Your level of making things understandable is insane. Thanks for the nice material in this delivery. We have missed you in the IBM videos :D

I love these IBM learning videos. They're so lucid and dynamic. Thank you Jeff.

the 1000 eye argument is also not valid if you check that some stuff is only maintained by a handful of people

Excellent description of a timely topic. Thank you!

When you talk about failure of opensource i would like to share that it's there respective community who encouraged hard-coded password to write inside the code, it's not software failure rather than those community discourage individual to write or make secure product by not mentioning in their document. Also today processors are advanced and they do in memory encryption which can be used by these open source software to secure or turn this failure into success

Great summary, thank you!

Open source is self organizing and more scalable. With open source products, a community of maintainers, contributors, and users share amongst themselves the burden of identifying and solving problems. With closed source products, a handful of employees of an organization must wear all the hats. Closed source is also tempted by "security by obscurity"; a non-option for open source.

3:44 As AI advancements come, I am very sure that automated code inspection to find vulnerabilities is very close, when AI finds something it will be derivative to a human being doing a manual inspection. Great advances in security are coming, much more with the large context windows that are being generated with almost no flaws, will it be with GPT-5, Gemini Ultra 2.0 or Claude 4, or the next generation, I really don't know, but, I'm excited.

Open source software can be only be secured if the dev or admin knows about security and he has done audit its softer ware security, otherwise I can see that if source code is open or available that does not mean it's secure because source code is available or visible.Any attcker can read the code and design the exploit specifically, overall the dev or owner should be smart enough to turn it into secure

How does he mirror write? 🤷🏼‍♂️ Cool video 👍

Awesome presentation!

Wow... It was 2006-2007... Almost 20 years ago...

There's no answering the question in the abstract. It cuts both ways. If your code is open, there is more pressure to implement the best available practices, and because it is open it will put those practices to the test. If it's closed, it could still be using the best practices and/or obfuscation, which actually can add security in the right context. That's all you can say. You're welcome.

How'd you get the eyes to blink 😮

Very nice

As a developer security by obscurity is my daily business.

Nice short video tutorial...

Here's a thought, why not train an AI to look for zero-day exploits in open source code. Switching to Linux would then be a no-brainer

I remember, our Computer Science 101 Laboratory at the College of Engineering was on Linux. At first, I was surprised how weird it was because our Computer lab in high school was on Windows... It was my first experience of Linux. Ubuntu, Linux. I asked why we were using Linux... And the answer that I got was that it was open source. Again, my first experience of the phrase "open source". But they also further added that we were using Linux because, compared to Windows, it was more immune to computer viruses... But not totally... Windows is great... It is preferable but Word, Excel, the whole kit and caboodle, is already not free. Windows is great but it is not free... And I am in a third world country... So... 🤷

"I can see the source code..." Which you can also do with "proprietary" software, if you have, say, a decompiler. The translation between human-readable code and machine code is far more understandable than say the translation between the English language and Arabic. So no, "proprietary software" isn't a "black box".

Yes... It can...

Great talk thanks for being so open!

closed source is already a malware

I will still use linux over window$ any day.

♥♥

It is but like any other system, it can be hacked too🤞🏾

First, learn what Linux is. This will be a good first step.

Richard Stallman (the "king" of open source) and his ilk gave us the original libstd that is used in every UNIX distribution - and that was the source of a huge number of security vulnerabilities. Where were the "1,000 eyes" looking at it when it was blessed by Stallman et al? The vulnerabilities in libstd were the result of undisciplined programmers who were more concerned about performance than they were about security. They cut corners like sloppy teenage programmers.

Watson daishta

Hi

Since this "expert" started the video by implying a comparison with the unnamed (but clearly obvious) Microsoft products, he should be fair and objective and say the fact that in contrast, THERE ARE THOUSANDS OF MALWARE ATTACKING AND INFECTING MICROSFT wINDOWS OS EVERY SINGLE DAY. With this in mind, the implied comparison loses its meaning and purpose, and the two or three security issues that affected Linux over the last three decades pale in comparison and are negligible compared to the Microsoft Windows never-ending security breaches. - I would drink Linux collada all day, seven days a week, with these one-in-five-years' security issues rather than using any of Microsoft's "amazing" products or services for one hour. Microsoft would pay a billion dollars to promote this guy and this video, I even suspect that he works with Microsoft. LOG4J and the few other vulnerabilities (including the one related to XZ module that was discovered last month) are NOT malware, they are backdoor code inserted by bad actors from within the people responsible for maintaining the open source code. ( they are two entities that benefit from creating those security issues and are therefore suspected of planting those backdoor security breaches: Microsoft and state-level intelligence organizations).