I support free and open source software (FOSS) like VLC, Qbittorrent, LibreOffice, Gimp…
But why do people say that it’s as secure or more secure than closed source software?
From what I understand, closed source software don’t disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on websites like Github or Gitlab.
Isn’t that actually also helping hackers?
What is more secure, a secret knock or an actual lock?
The lock is something that everyone can lookup, research and learn about. Sure, it means that people can learn to lockpick, but a well designed lock can stumble even the best lockpicks.
A secret knock is not secure at all, it sounds secure but in reality it is just obscure, and if anyone learns it or it’s simple enough to guess, it becomes meaningless. Even a bad lock will show signs that it was picked.
So that’s an analogy, here is the actual explanation:
Let’s assume we have a closed source product named C and an open source product named O and that the security and quality of the code is the same. Both products are compiled and have been in active development for years. Both products have a total of 2 different people going over the code change of each new version, one person writes it, another reviews the code and approves it. After years of development you probably have about 10 people in total who have actually seen the code, anything that they missed will go unnoticed, any corners that they decided to cut will be approved, any bad decisions that they made will not be criticized. Here is where C and O differ: C will forever stay in this situation, only getting feedback rarely from researchers who found vulnerabilities and decided to report them. O will get small parts of it reviewed by hundreds of developers, and maybe even fully reviewed by a few people. Any corners that O cuts will be criticized, any backdoor that O tries to implemented will be clear to see. C on the other hand has one small advantage, bad actors will have a harder time finding vulnerabilities in it because it is compiled and they would have to reverse engineer it, while O is clear for the bad actors to read. But, bad actors are a very small minority, any vulnerability in O is far more likely to be caught by good actors, while C is very unlikely to be reversed by any good actors at all and so if it has any vulnerabilities, they are far more likely to be found by bad actors first.
And it is important to note the conflict of interests that often exists in closed source software. A company that sells a product for profit and believes that its code is hidden, has very little interest in security and almost no interest in end user security, but if the code is not hidden, the company has an interest to produce reasonably secure code to maintain a reputation.
So almost always, open source leads to safer code for all parties involved.