For years we have heard that the strengths of open source is that "with enough eyes all bugs are shallow"; and the downside of open source is that attackers can also see the source. The plus side of closed source is that attackers cannot see the code; but the downside is that the public cannot audit or insert their fixes and patches.
Last Nov, on Taosecurity, I made the point (related to the Source Code Club) that:
"If we accept the arguments from the closed source community about their products being more secure due to lack of availability of source, then once the source becomes available [like the releases we have seen recently] we have the worst case from both scenarios. Source available to the attackers, but which has not been audited by the community and is not patchable except through the vendor.
If we take the view that the publicly reported sources available represent the tip of the iceberg, then there are even more risks to running software which is only patchable and audit by a single, centralized source."
Richard Bejtlich's rejoinder to this was:
"I agree with this sentiment. Other reasons I prefer using open source includes the ability to see just how a program works, the chance to modify a program to suit my needs, and the fact that individual programmers are held personally accountable when CVS and other systems track their code check-in actions. (I believe this promotes higher-quality code as opposed to a closed binary with no one's name on it other than the vendor's.)"
Taosecurity is also commenting that the outcome of legal wrangling on this Lynn case will have wide implications for the security industry going forward.