Vulnerability Count

John (EBo) David plug-discuss@lists.PLUG.phoenix.az.us
Sat, 25 Aug 2001 11:35:38 -0700


Kevin Buettner wrote:
> 
> On Aug 25,  9:10am, Kimi A. Adams wrote:
> 
> > I find it just as interesting that the number of vulnerabilities for Red
> > Hat is darn near close to Windows NT.  Most people think of Red Hat when
> > they first start hearing about Linux and believe that it's better
> > security.  But as your numbers prove, it's much less secure than other
> > packages.  I would be very curious to see what Debian's numbers would be in
> > comparison.
> 
> Visit http://www.securityfocus.com/vdb/stats.html and see for
> yourself.
> 
> But, while you are there, take a look at the number of reported
> vulnerabilities for (e.g.) OpenBSD during 1997 vs. 2001, and
> then ask yourself if you really believe that OpenBSD circa 1997
> is more secure than OpenBSD circa 2001.  Do the same thing for
> the various versions of Linux too.  If you (mistakenly, IMHO)
> equate lower numbers with being more secure, then you'll find
> that the most secure version of Debian (or Red Hat) existed in
> 1997 and things have gotten steadily worse since!  (The year 2001
> numbers are better than the year 2000 numbers for both OSes, but the
> year isn't over yet.)
> 
> In other words, take these numbers with a grain of salt.

absolutely.  You also have to consider the user base, reporting
accuracy, exposure, etc.

I would contend that any given package will start out with some bugs,
tapper off, then as the project gets over complex and/or old the bugs
typically begin to go up again.  When releasing a major revision you
tend to start the cycle over...  That has been my experience and
observation.  Now for which is the most secure:  by what and whose
criteria?

  EBo --