Linked by Thom Holwerda on Tue 21st Aug 2007 18:19 UTC, submitted by SEJeff
Privacy, Security, Encryption Jeff Jones has published another one of his vulnerability scorecards comparing various operating system offerings. As always, these figures just list the patched vulnerabilities over the designated period of time; they do not take into account any unfixed or undisclosed vulnerabilities. Hence, these reports are not proper measurements of security - they are just that, a tally of fixed vulnerabilities. Any conclusions like "x is more secure than y" cannot be drawn from this data set. As always, do with it as you please.
Permalink for comment 264998
To read all comments associated with this story, please click here.
pruneau
Member since:
2007-08-22

Just .5 more cents, though.

First, as it was already pointed out, by H.H. B. Schneier himself and some other people, real secure software will be produced when the software companies will somehow be held accountable of the security of what they deliver.

The typical production cycle of software still follows this progress:
- make it work (most of the time)
- make it fast (whenever they are more that enough user complaints)
- make it secure (when we are more than 95% sure some capital loss or other litigations are headed our way)

Security will never be about insurance, more about risks: because it's going to be an arm race between 'us 'an 'them' forever, that's a sad fact.

Now if someone wants to go and produce useful security metrics instead of doing some kind of backwater irrelevant PR^H^Hstatistics, here's my idea:
You're favorite OS/Application can be as insecure as it gets, if you are the only one using it, you are at less risk than a "semi-secure" OS that is targeted by millions.

This is indeed a caricature, but if someone could really get out some statistics pointing out, let'say, the number of actives attack vectors against the number of un-patched threat out there, per OS, that would give you an estimation of how much using this OS is a real risk, and probably how much it's going to cost you to "secure" it.

Any takers ?
(I might start searching for venture capital anytime soon ;-)

Reply Parent Score: 2