At a recent interview, I was asked:
Open source web app (say built on Struts/Spring) is more prone to hacking since anyone can access the source code and change it. How do you prevent it?
My response was:
The java source code is not directly accessible. It is compiled into class files, which are then bundled in a war file and deployed within a secure container like Weblogic app server.
The app server sits behind a corporate firewall and is not directly accessible.
At that time – I did not mention anything about XSS and SQL injection which can affect a COTS-based web app similar to an open source one.
My questions:
a) Is my response to the question correct?
b) What additional points can I add to the answer?
thanks in advance.
EDIT:
While I digest your replies – let me also point out the question was also meant towards frameworks such as Liferay and Apache OFBiz.
The question is a veiled argument towards Security through obscurity. I suggest you read up the usual arguments for and against and see how that fits:
My personal opinion is that obscurity is at best the weakest layer of defence against atack. It might help filter out automated attacks by uninformed attackers, but it does not help much against a determined assault.