Re: Closed source considered harmful
Load of codswallop and you know it "CAPS LOCK" !
Large companies, such as Amazon, no doubt have either employ "someone who can" or have the resources to "find someone who can".
That hasn't stopped them being caught with their pants down when faced with vulnerabilities in open sourced software and having to go round patching stuff in a hurry.
Both open and closed source are likely to have security bugs in them, its a fact of life of programming being done by humans.
But in the case of open source:
(a) The quality of programming can vary widely by open source project depending on how careful they are in their code review process (i.e not many go to the extremes that the OpenBSD crowd do, for example)
(b) The ease of firing up projects on Github (or other platforms) and the ease of merging in pull requests from minimally vetted third parties only further contributes to (a).
(c) I am no mathematician, but given the significant number of "popular" open source projects vs a smaller number of "popular" closed source projects, the statistics are likely to tell you that you have a higher chance of being caught out with vulnerabilities.
A typical Linux installation for example, even a fairly minimal "server" version has dependencies on how many third-party open source packages ? Are you or your "someone who can" seriously going to sit there reviewing the base code and then every single commit that comes after it ?
Same goes for stuff like OpenSSL.... you would have thought that given what OpenSSL does, and its prominence everywhere from Enterprise to Home, that enough people like you or "someone who can" would have picked their way through the source code.
But the reality of life (and the reason that major projects such as OpenBSD,Mozilla and Wikipedia end up having to have cash-collection begging sessions), is that behavior in the Open Source world is no different to the Closed Source one. In other words, other than core commiters and other people who choose to subscribe to (and actually read and contribute to) the "dev" mailing lists, the vast majority of the Open Source community takes without giving back anything (not even code review).
Realistically the only people who really do security code review on open source projects (other than those few projects with a distinct security focus such as OpenBSD) are pentesters seeking a bit of free publicity, or government agencies seeking an exploitable avenue.