Dana Blankenhorn explains why closed source is not really closed.

NEW YORK (TheStreet) -- There is a misperception at the heart of the open source vs. closed source debate, which is that closed source is really closed.

It's not. Your license says you can't see it. The vendor won't show it to you. Good people are not supposed to look.

But bad people look all the time. Microsoft malware exists because bad people look, and find bits of the code they can exploit. It's a continuous game of cops and robbers, with security professionals trying to protect every window and bad guys knowing they only need to unlock one.



So news that code for VMware's ESX hypervisor was released , that more of it is to come, because someone calling themselves "Hardcore Charlie" successfully broke into China's export-import center, made some analysts go "hmmmm."

VMware(:VMW) may be the leading hypervisor because, unlike rivals KVM and Xen, it is closed source. Old-line enterprise managers like closed source code. They think it's safer. Indeed, VMware's stock keeps rising to new highs, giving the company currency with which to make acquisitions, and results justify the optimism, because of this perceived safety.

But that image of safety is false. It's true that, because KVM and Xen are open source, bad guys can see the code. But so can the good guys. A bad guy's exploit can quickly be addressed by a large community, not just by security specialists and the company that owns the code.

In other words, open source code is safer. By design. The bigger the code base, the closer it lies to what the computer is doing, the safer open source gets, because the more people are depending on it.

Don't believe me? Compare the number of successful exploits of Linux servers with those of Windows, over the last several years. Compare how quickly those holes were patched. It's true that open source users may be slow to patch their stuff, that potential exploits can live on remote servers for years, but even that doesn't result in a crime wave.

It takes a village to protect your software. Having a few cops on the beat is nothing next to a good neighborhood watch. The broader the base of code users, the more important this becomes. Innovating on top of most open source code is legal, with licenses like Eclipse and Apache actually encouraging it. But that innovation is on top of secure code. The innovation is only a small part of the whole, and the creator of that innovation can put all their energy into protecting that small portion, knowing the foundation is secure.

The closing argument of closed source advocates is money. Look at all the money Oracle(:ORCL) and Microsoft(:MSFT) make, they say. Because they sell a whole stack of software they bring in the cash they need to buy everyone else, even the open source companies.

Well, look at IBM(:IBM). They moved to open source Linux for their base nearly two decades ago. And over the last five years which of the three -- Oracle, Microsoft, or IBM -- has done better for shareholders?

Answer: IBM. It's not close.

The lesson seems clear to me. The wider your software's user base, the deeper the code base is, the bigger the advantage an open source approach has.