May be, but I have my doubts. Having an open source web application running on your site can become a security nightmare or may eventually cause a high maintenance cost in the long run.
Example: you have just installed a really nice web application that is popular and feature rich. The next morning you receive a security alert that an exploit has been found in that application. That happened with me during last couple of weeks with two web applications (cms). Having little or no time to spend for my own site, I wanted a web application that I can install, leave it running, and may be occasionally do upgrades or fixes. But with two incidents in same week for two different web applications made me think twice. That site I wanted to start is closed till I figure out my next move. May be it is my own perception but I have found that most of the commercial open source web applications are more secure than free ones. Is that your experience as well? Probably it comes down to spending my own time to secure such an application or let others do the job for me and purchase a commercial product.
One approach I am thinking of is taking daily or even hourly offsite backup of the web application and its database, so if it gets hacked due to new exploit being discovered, I do not have to worry about it. But then there is another problem: some exploits can cause server damage as well e.g. remote arbitrary code execution (xss?).
One other problem that I faced is that some applications do not have a straigh-forward process to apply patch/upgrade. Spending 2 hours to go through 10 steps to upgrade the application is not a good idea. This probably happens with applications that were designed at the spur of the moment without proper design. To maintain such an application is no doubt difficult for the developers as well. Oh, btw, you should signup for daily alerts at secunia.com if you are using any 3rd party application, or join the announcement/development mailing list of the product you are using to stay upto date with any patches/updates released by the vendor/developers.
I’m not sure if I can agree with you. Yes, popular software (open and closed) are more in the picture than unique software. So exploits and security issues are sooner brought to daylight. Yes, among the open source software are a lot of products which are not (yet?) ready to be used in a productional environment. Closed software is often more tested, and therefor ready to use. However, that’s also why you have to pay for it.
I think that if you’re not a developer or a purist, and don’t want to put effort in maintaining your software, you have to be more careful with which software you choose. For instance, and this is a bit ordinary because it’s no server application, Mozilla Firefox is a open source product which is developed enough to compete with closed software. And so there are many others. Also server based ( i.e. Apache).
I think you just have to be more selective in which software you want to use. Don’t just look at there featurelist, but also at it’s community (thereby it’s support), the upgrade timetable (if a product is last updated 6 months ago and still used by a great number of people, you can call it stable) etc.
And don’t always use the last version, but the second last. There’s more information available of its bugs and the solutions to it.
To conclude, to use open source software you have to look further than its featurelist. You can’t just trust it’s beautiful blue eyes, but have to put more effort in it. Therefor it’s not better or worse than closed software. It’s just different.