 is open-source software more secure than close-source solutions. I hear this argument a lot, but you're comparing not the right metrics to try to come up with anything like that. One, no code is any better than the person that wrote it. So the person either wrote insecure code or they wrote secure code or they wrote secure code now based on what they knew at the time, but then someone found a flaw because it was stacked on that. So I see people debate about this and it's not the right argument or not the way to look at it. You can have a very secure close-source solution. You can have a very secure open-source solution, but is one methodology more secure than the other? Now we're gonna talk about methodologies, not overall projects. The overall projects are gonna vary greatly and there's not exactly the easiest apples-to-apples comparison to an exact open-source project that absolutely matches imparity to a close-source project so we can truly determine that and the same people wrote the code. That's the only way you can really do an assessment of it, but let's talk about the concepts that make open-source, of course, a very good choice and why I choose open-source software. Open-source software and security has to do with being able to view the code. Now, there's a people who wanna argue that being able to view the code allows hackers to look at it and go I can find this way to do it or that way to do it to get around it. Well, that means the code wasn't written secure because in the close-source world when someone put a patch in and didn't disclose how it was done, well, we can poke away at it till they figure it out and that's what we watch happen all the time. It's referred into the industry as security through obscurity. Like I didn't tell you how I made the secret sauce so it's harder to take apart the secret sauce allegedly but we watch breach just happen all the time so it's an eventuality before someone smart enough reverse engineers that and finds that flaw that you left in there that you thought by not sharing the code to be secure. This is a big win for open-source because of this. If the code is in the clear, if the code is published on a repository such as GitLab, GitHub, and you can view all the source code to whichever device you're using, whichever software you're using, it can be verified by third parties. Now, I'm not a code verifier, I'm not a code auditor myself so no, I can't necessarily look at it myself but trust me, once you have it out there in a public space, that means there are more potential eyes to look at it but this is where a lot of people go off the rails. Just because it's open-source does not mean someone audited it. Those are different pieces of information there. So just because you go, hey, I'll just use this tool because it's open-source and what Tom said open-source was secure. Well, no, it's back to the very first statement of it's as good as the code that I wrote it. So if it's not been vetted very well, if it's not been really audited or the person was not security minded when they wrote it, you may have a very flawed project that you do happen to have the source code to and it's whether or not you can audit that source code and verify it. Now let's talk a little bit about verifying because I know the question comes up all the time. Well, how do I know if open-source is really secure or if the source code that went into this product is the source code that I'm using as the binary as in when it's compiled? Well, this is where many projects, Debian as well, is does reproducible builds? And what a reproducible build is, we take the source code, we compile the source code, we create a binary from that output. How do you know how it was done? Well, they have reproducible builds. So they list the parameters that were used to compile that software and then you can download the software, you can compile it if you want and verify that the binary that you get matches the binary there, which means the exact code as it was displayed was what produced the tools that you're using. This is an important aspect. This is where things are really difficult on the close source side. Close source vendors do have independent audits. They will come in and they will have someone do a security audit, but then there's not any way for you, other than verifying what this third-party auditors said, there's not any way for you to verify that. You can see the audit report, you can say, yep, they did reproducible builds. Yes, the binary is there. All they have to do is the next version update, not do the same thing. So there's not any way to consistently check them. And as I said, not everyone is doing a reproducible build on every open source project to make sure it matches for you, but it is capable of being done. And for those out there, and there's plenty of them, are doing security audits all the time. This is happening, and so things get found out. And one of the last things I'll leave you with when especially comes to open source and open source firewalls, which I'm always a big fan of, is making sure there's not a backdoor in there. This is a problem that we've seen a lot with people. And Cisco, they're doing a good job of doing self-auditing, but if you follow the tail of security blog, they had just for probably convenience reasons, left a backdoor, left a hard-coded password somewhere. And this just rarely happens in open source. So let me tell you why. When all the code is published, it's rare you'll find someone who goes, for convenience, I'm gonna put password one, two, three, four, five. That way, if I ever have to set one of these up, I'll just have a backdoor in so I can do it. That's rare in the open source world because the open source development platform and more and more people contributing to code, they would look at that and go, that's just dumb. That's a horrible idea that should never make it into production. And I know someone's probably screaming, yeah, the government made them put the backdoors in, et cetera, et cetera. We don't really have any proof of that. And after all these years working in the market, I'm not saying the government never tries to do nefarious things. And this crosses all governments, not just the one I am under the jurisdiction under. A lot of times people just do dumb things in code for convenience. This is never underestimate a lazy programmer and his ability just to go, hey, I'm gonna put this here and put this here and I'll get it out later and then never take it out later and it ends up in production. But in the open source development world, you're gonna see a lot less of this because there's more people contributing to it. So hope this clears up whether or not open source is more secure. It's easier to audit. It's easier to verify than closed source. You get to have a better understanding of it. You have the potential to fork it yourself and make your own code base from it. But it's a way you have to look at things. Closed source, I have less trust in because I can't always verify it all other than what third party orders to me. Open source, you can if you wanna learn, you can really learn how to compile it yourself and roll everything on your own or it's also able to see how things work so you get a better understanding and contribute back to that open source project. So hopefully this clears a few things up. Thanks. Thanks for watching. If you enjoyed this video, go ahead and hit the thumbs up. If you wanna see more content from my channel, go ahead and hit subscribe and the bell icon and hopefully YouTube will send you a notice. If you're interested in contracting launch systems for any type of IT services work or consulting work, go ahead and head over to laurancesystems.com and fill out our contact and get in touch with us. If you would like to help the channel out in other ways, you can use our affiliate links below in the description or we have a link directly to our launch systems page where we have a list of different affiliate offers and it's very appreciated if you use any of those for signing up any of the services and many of them offer you discounts. If you wanna head over to our forums, there'll be a link in the description for our forums, wherever they may be, because we've been looking at different forum platforms but they'll always be relevantly linked right there. All right, once again, thanks. Leave some feedback and comments below on this video. If you loved it, if you hated it, I try to reply to everyone, the people who hate and the people who love them. So thank you very much and see you next time.