One thing I didn't see discussed in the article was the balance between the benefits of security by obscurity, and the benefits of having your code open source (or at least making your security methods known) so more people can audit it. Personally I don't actually think there is that much security benefit to having open source code since most people don't audit random codebases for fun, but that is one of the arguments I've heard against obscurity. Of course some methods of obscurity can still be done with open source code as well.
Open sourcing has to be done with the audience in mind. It generally doesn’t make sense to (publicly) open source a system that is idiosyncratic to a single organization. The only likely interested audience is hostile attackers. A useful general purpose dev tool though? Sure, and the people using it might be able to help.
