Security is more than raw numbers and statistics

Posted on January 10, 2006 by Joe Brockmeier

The latest US-CERT security bulletin is getting a lot of press lately, most of it misguided. Joe Barr and I wrote a short piece (Joe Barr deserves most of the credit, I just added a few grafs…) trying to set the record straight when it comes to security vulnerabilities, which seems to have actually penetrated the fog of the mainstream tech media.

Since I spend much of my time interviewing other folks, it was a bit fun to turn the tables and to be interviewed for this NewsFactor story on the topic by Jay Wrolstad. (All things being equal, however, I think I prefer asking the questions…)

The crux of the biscuit is that mainstream tech pubs have been reporting the sheer number of reported vulnerabilities as being representative of the actual level of security for a given operating system. I’m hoping, though not convinced, that the message may be finally getting through that the number of reported vulnerabilities is not the same as how vulnerable an operating system is or isn’t.

Actually presenting a fair picture of operating system security is pretty hard, but here’s a hint for anyone who’s looking to try — a good overview needs to take into account the following:

  • How many vulnerabilities appear during a given period.
  • How many exploits appear during a given period.
  • How long it takes a vendor to issue a patch or fix for the vulnerability.
  • How hard/easy it is to construct an exploit for the vulnerability.
  • Who’s identifying the vulnerabilities? Is it the vendor, or outside parties?

In short, just taking a raw number and saying “OS A is secure and OS B is less so, because OS A only has a fraction of OS B’s vulnerabilities” is pretty bogus. It’s worth noting that the US-CERT report is unfair to Windows as well as Linux/UNIX/Mac OS X because vulnerabilities against programs like “Apple Darwin Streaming Server” are counted against the Windows tally. WTF? Most Windows users don’t have that application installed, so how should it count as a “Windows” vulnerability? At the same time, it doesn’t look like most of the Firefox vulnerabilities were tallied under the Windows column, even though Firefox also runs on Windows.

I’ll take ten minor flaws in things like LibXPM or netpbm than the WMF flaw that a lot of Windows shops are concerned with right now.

About Joe Brockmeier

I'm a freelance writer, FOSS advocate, music lover, computer geek, avid reader, and politically progressive (read "Liberal with occasional Libertarian tendencies"). You can read more on my about page if you're not already bored.
This entry was posted in Linux, Open Source, Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>