High stakes deployments drive security. Security starts to be addressed when deployments are highly exposed, either because they are many and on the open internet dealing with a lot of traffic, or because wealthy clients consider them business critical.
The risk of major annoyance to a large number of sophisticated users _or_ annoyance/financial loss to wealthy players is the "market feature" that makes the security of a software product evolve.
Wealthy players assert pressure on proprietary vendors (eg Oracle) or pay auditors/programmers to audit&fix FOSS (Postgres, MySQL). Many non-wealthy users can put some pressure on a proprietary vendor (IIS), and can do a lot more for a FOSS product (Apache).
In the end, there is an important degree of market dynamics in both models, in particular with the sophistication of the buyer (awareness of security as an important factor). Some proprietary tools hare more mature and have had more high-stakes deployments, we should expect their security to be more mature.
A few observations remain:
- in the many small interests scenario, FOSS is
more effective than proprietary (Apache/IIS).
- in the wealthy client scenario, it is hard to define which is more efficient, but in the case of FOSS, clients need to be hands on.
- large markets of non-sophisticated users are ill-served -- noone seems to be interested in providing security to those who don't care.
Background: I have been working with FOSS for several years, and done several security audits of FOSS software. Some resulted in security patches being offered to the project maintainers. The security audits were paid for clients interested in high stakes deployments. I have also had to deal with exploited servers and workstations where the vector had been flaws in FOSS and proprietary software.