Steve Bellovin, one of the pioneers of Internet security wrote a blog post about security, open source, and secure development process. It’s worth reading if you’re an open source fan, or if you’re not.
My one quibble is that Steve refers to fixing bugs in a way that implies that just fixing bugs improves security. Our experience is that fixing bugs is not enough – you have to use tools and processes that specifically prevent security bugs from getting into the code in the first place.
But that’s a minor quibble. I think Steve’s post is right on and a great read.