Security by obscurity? Symantec wants to keep it's source code secret in response to Russia?

By Kaspersky Lab [Public domain], via Wikimedia Commons

In a reactionary move most likely guided by fear rather than by measurable security benefit the company Symantec has decided to stop letting countries analyze it's source code. Why might this be a problem? Just because the source code cannot be directly analyzed it does not mean the flaws don't exist or that it cannot be indirectly analyzed. Should we finally move away from closed source "anti-virus" software?

While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.

To put it another way, should we change the trust model and shift the trust away from companies like Symantec and onto a global network of source code auditors? Is there any evidence that merely not disclosing the vulnerabilities inherent in the code that this will somehow benefit security? What about the possibility of backdoors? Any time software is closed source or pre-compiled you really cannot know what the software is doing. Governments likely do seek to put backdoors in any closed source software but I do not see how this particular kind of secrecy does anything to benefit actual security or even the perception of safety. Less eyes reviewing the code is still less eyes reviewing the code.

If anyone has a cybersecurity background feel free to offer your opinion on this.

References

1. http://www.reuters.com/article/us-usa-cyber-russia-symantec/exclusive-symantec-ceo-says-source-code-reviews-pose-unacceptable-risk-idUSKBN1CF2SB?il=0