Travis Siegel <tsiegel@...>
A bit late to this discussion, but as has already been mentioned, closed source is definitely no guarantee of security. That's a practice called security through obscurity. The only reason it's secure is because nobody knows how it works. Well, I'm here to tell you that these days, there's not only ways to recover original source from many types of programs, but the hackers who know what they're doing can disassemble just about anything, and modify the program no matter what the original develper does. Having open source programs prevents this from being a problem, as anyone who wants to can download the source, and compile the program for themselves, thereby guaranteeing a fresh untampered copy. You can't do that with commercial software, and indeed, you can't even compare commercial software against additional copies to ensure you have a unmodified copy, because there's no information about checksums in most cases. If these guys are banking on commercial software being secure, and ignoring opensource just because it can be modified, then they are doing themselves a huge disservice.
Java, python, C sharp, and other languages can easily be decompiled back into either byt codes, or even back into human readable source code, thereby removing any protection whatsoever from the fact that it's compiled and commercial software. Just because a program is commercially distributed, and compiled before said distribution does absolutely nothing to secure said software.
Also, the claim that they won't use software where you can find the source is another flawed ideal. Hackers have more than once broken into commercial establishments, and stolen (and released) software for many commercial programs. You can find software for all kinds of commercial apps if you look hard enough, and that's without resorting to nonstandard searching techniques such as the dark web. Anyone who claims commercial software is secure just because the source isn't available is like a little kid hiding under the bed and closing his eyes because he doesn't want to see the news on the tv.
This is a ridiculous assertion, and folks (especially ones in charge of making such decisions) should know better.
Do a search for the cert database and look at the number of exploits found in commercial software over the past however many years you wish to check for, and you'll find beyond any shadow of a doubt that being commercial is not even close to a deterent for hackers and other unsavory types.