 | By Ryan Russell Measuring the vulnerability of operating systems and applications to attacks from hackers is vital to safe computing on the Internet. The most-common measure of computing security is counting vulnerabilities. But using this metric is horribly inaccurate and needs to stop. |
Inflaming the debate over who has the most bugs
I recently read yet another story about vulnerability counts and which vendor is the worst offender. The article in question, published by AppleInsider, claims Secunia is “assailing Apple” in its most-recent security (PDF) report.
The article is obviously a defense of Apple, but its basic premise is sound: how should you interpret vulnerability data? AppleInsider pointed out that some Apple foes have taken the least-specific, aggregate data of vulnerability counts out of the Secunia report and declared Apple the big security loser.
It didn’t help that contradictions in Secunia’s report added fuel to what became a flaming debate over who has the worst security. It stated that you should not use its data to compare vendors: vulnerabilities vary by product, not by vendors. But it also printed a simplistic “Top-10 vendors with the most vulnerabilities” chart. Unfortunately, we’re more likely to remember charts than text.
(It’s fair to point out that Secunia makes vulnerability-scanning software that Windows Secrets continues to recommend.)
Related posts:
