Open source of course doesn’t mean secure or easy to use, it just increases the avenues for scrutiny of the software. I’ve seen plenty of open source projects where you need to spend a long time learning the system because of the poor documentation – that lack of documentation will be an impediment to any effort to obtain assurance in the security of the system.

OpenSSL is a fine example of open source software for which vulnerabilities continue to be found and fixed. The Bleichenbacher vulnerability (http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/) is not something that any amount of testing would have uncovered, until the nature of the exploit was known.

Finally, several years ago when NSS was opened up I remember talking to our friend TP about it – I asked if his agency or the DoD were likely to object, celebrate, or even notice the fact that the server was opened up – the best guess was “not even notice”. It’s been almost a decade since then, I wonder if agencies pay any more attention to such questions now.