SHARE
Facebook X Pinterest WhatsApp

With So Many Eyeballs, Is Open Source Security Better?

Back in 1999, Eric Raymond coined the term “Linus’ Law,” which stipulates that given enough eyeballs, all bugs are shallow. Linus’ Law, named in honor of Linux creator Linus Torvalds, has for nearly two decades been used by some as a doctrine to explain why open source software should have better security. In recent years, […]

Jul 10, 2018
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Back in 1999, Eric Raymond coined the term “Linus’ Law,” which stipulates that given enough eyeballs, all bugs are shallow.

Linus’ Law, named in honor of Linux creator Linus Torvalds, has for nearly two decades been used by some as a doctrine to explain why open source software should have better security. In recent years, open source projects and code have experienced multiple security issues, but does that mean Linus’ Law isn’t valid?

According to Dirk Hohndel, VP and Chief Open Source Officer at VMware, Linus’ Law still works, but there are larger software development issues that impact both open source as well as closed source code that are of equal or greater importance.

“I think that in every development model, security is always a challenge,” Hohndel said.

Hohndel said developers are typically motivated by innovation and figuring out how to make something work, and security isn’t always the priority that it should be.

“I think security is not something we should think of as an open source versus closed source concept, but as an industry,” Hohndel said.

In Hohndel’s view, the key question isn’t about software development models, but rather about having an architectural design that makes software more resilient. For VMware specifically, he said the company spends a lot of time looking at attack surfaces. For example, with the PKS (Pivotal Container Service), which is a Kubernetes container orchestration distribution, a core component is VMware NSX. With NSX, Hohndel said an organization can segment a network, reducing the attack surface.

Hohndel said the idea that many eyeballs makes all bugs shallow only works when there are multiple eyeballs. In Hohndel’s view, the Linux kernel development process is a good example of an open source project that does in fact perform proper code review.

“One of the biggest challenges for any software product, whether it’s open source or not, is to get enough qualified reviewers to make sure that you don’t get overwhelmed by the speed of innovation and you take the time to actually do decent code review,” Hohndel said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

thumbnail Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Recommended for you...

How to Use Input Sanitization to Prevent Web Attacks
Julien Maury
Feb 6, 2025
What Is Single Sign-On (SSO)?
Davin Jackson
Feb 6, 2025
Kubernetes Security Best Practices 2024 Guide
Claire dela Luna
Oct 15, 2024
23 Top Open Source Penetration Testing Tools
Drew Robb
Sep 27, 2024
eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.