Doesn hiding source code automatically make software more secure?
No. Indeed, vulnerability databases such as CVE make it clear that merely hiding source code does not counter attacks: • Dynamic attacks (e.g., generating input patterns to probe for vulnerabilities and then sending that data to the program to execute) don’t need source or binary. Observing the output from inputs is often sufficient for attack. • Static attacks (e.g., analyzing the code instead of its execution) can use pattern-matches against binaries – source code is not needed for them either. • Even if source code is necessary (e.g., for source code analyzers), adequate source code can often be regenerated by disassemblers and decompilers sufficiently to search for vulnerabilities. Such source code may not be adequate to cost-effectively maintain the software, but attackers need not maintain software. • Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. Continuous and broa
