A Penny For Your Thoughts: Compatability of Open Source and my (future) Startup

1 points by Towle_ ↗ HN
I love the idea of Open Source, and I (think I would) love to release my startup's code as Open Source, both for moral/worldview reasons and because I believe doing so would (indirectly) make the company more profitable.

But I can't seem to get rid of one last concern: user security.

[Note: I won't go into too much detail about what my future startup will be because a) at this point I'm honestly just not comfortable doing so, and b) leaving such variables undefined means others with similar concerns but different startups can gain more from this discussion.]

Among other things, my startup will involve such "features" as user login (id/password), user-to-user communication (not just text but files, etc. as well), and user storage (again, files etc.). In essence, given the nature of my startup, user security will be a big issue for buyers, as well it should be.

So, the ultimate question becomes: Is it possible to release all code as open source without risking security issues? Or should I just release all code unrelated to security as open source? If the latter, how can I be certain which code could risk security if released open source and which code would not?

Thanks in advance for all comments.

3 comments

[ 3.5 ms ] story [ 16.4 ms ] thread
Rather, stick to some existing and heavily tested open-source security solution. That way, users of your code can also use it without concern. Security by obscurity is known not to last very long in the wild.

On an unrelated note, "Penny for your thoughts" would be an awesome name for a micropayment startup.

Kliment

(Until we get that micropayment setup going, I'm going to need your home address to send these two pennies in return for your two thoughts. Or...if you deem it an agreeable alternative, I'll just give you my "two cents" instead.)

Yeah, that's probably what I'll do. Obviously, I have little experience with security coding...probably should've figured that. Humor the ignorant by answering another question, if you (or anyone else) would: what seem to be the primary reasons 'security by obscurity' fails so often? I can surmise, of course, that the cleverness of the many outweighs the cleverness of the few...especially when compounded with the depth and breadth of testing of the many vs. the few. Anything beyond that?

If it's any in-cent-ive (oooh I like that pun :D), should you respond to this question as well, I hereby release any and all intellectual property rights I hold (i.e., none) over the phrase "Penny For Your Thoughts" should you want to ever use it.

Okay, you've in-cent-ivized me. The way I see it, when you have a secret security solution, you tend to convince yourself that "it's okay, noone will ever figure it out" and thus settle for something less secure than you'd have to otherwise. A lot of security solutions thought of by very experienced and smart people have been broken. Assuming yours would be better is quite a statement. If you can back it up, awesome, then all the more reason to publish it and collect fame.