There is a false assumption that open source is less secure. Pingdom, which claims to be big fans of the Apache HTTP web server, recently published an interview with William A. Rowe Jr., who until just recently, was the Vice President of the HTTP Server Project.
The interview covers a number of topics around the Apache HTTP Server and open source security.
According to Rowe, the common argument is that since the source code is available openly in open source projects (like Apache HTTP Server) it means it’s less secure.
"The least concern that closed source manufacturing companies like Microsoft have is the public disclosure of some of their source code. Of far greater concern is the espionage of source code, or discovery of bugs by pen testing, where they are unaware of that it’s being audited," Rowe said.
At the Apache Software Foundation they have a team that basically does this, automatically scanning code, and raising alerts to particular projects when something is found. This can be something that is a clear vulnerability, or something that is perhaps not a clear vulnerability, but it should be looked at because it can become one.
You can read the full interview on Pingdom.