Thursday, January 05, 2006

If it's in The Register, it Must Be True

Surprisingly, this matches other things that I've read internally.

It might not feel like it, but Windows suffered less security vulnerabilities than Linux and Unix during 2005.

Linux and Unix experienced more than three times as many reported security vulnerabilities than Windows, according to the mighty US Computer Emergency Readiness Team (CERT) annual year-end security index.

Windows experienced 812 reported operating system vulnerabilities for the period between January and December 2005, compared to 2,328 for Linux and Unix.
CERT found more than 500 multiple vendor vulnerabilities in Linux and Unix spanning old favorites such as denial of service and buffer overflows, while CERT recorded 88 Windows-specific holes and 44 in Internet Explorer (IE). For a complete list of vulnerabilities, you can visit the CERT site
here.

That said, I don't believe in these kinds of number comparisons. I've said so in the past when they have been both before and against us. When I get slides from corporate that contains numbers like this, I throw them away. I don't know what these numbers are actually measuring, I don't know how they are weighted by severity and, most of all, I have no idea what the actual defect rate is across the products, so I don't know what they mean. Are the Linux numbers high becuase they just disclosed a bunch of fixes? Is it because of upgrades to sub-systems like Oracle? I just don't know.

Days at Risk is a slightly better measure, but also has a very subjective componant.

I'm not crowing about this and not sure why any actual security professional would.

Of course, that lets off the sales and marketing staffs.

No comments: