A client I work with mentioned that for high security related projects, that developing them in an open source way will actually decrease the security provided by the project. The idea being that if anyone can see the architecture and code while it is being developed they can prepare to compromise the security. This made sense at the time and I nodded, but after chewing on it for a few weeks I think this is not the case at all.

There is certainly the argument that implementations are not open source. Of course that makes sense as no one will open up the server configs, passwords, private keys, etc. But the actual software that is used within an implementation gets more secure if developed as open source software.

So here's the short list off the top of my head of security related open source projects that are pretty widely used:

• Advanced Encryption Standard (AES/Rijndael) - approved by NIST in 2001. First open cipher used by NSA to secure top secret information.
• OpenSSL - Since 1998
• OpenSSH - Most widely used SSH implementation with over 80% usage [source]
• SELinux - NSA developed linux security


• Gnu Privacy Guard (GPG) - implementation of OpenPGP for signing/encrypting using PKI
• Trusted Solaris - developed by Sun under OpenSolaris
• Plus lots more that I can't think of right now...
  

Of course others have written on this subject and pretty much conclude that not only does OSS improve a project's security, not being OSS is quite a large vulnerability.