Vulnerability Count
John (EBo) David
plug-discuss@lists.PLUG.phoenix.az.us
Sat, 25 Aug 2001 11:35:38 -0700
Kevin Buettner wrote:
>
> On Aug 25, 9:10am, Kimi A. Adams wrote:
>
> > I find it just as interesting that the number of vulnerabilities for Red
> > Hat is darn near close to Windows NT. Most people think of Red Hat when
> > they first start hearing about Linux and believe that it's better
> > security. But as your numbers prove, it's much less secure than other
> > packages. I would be very curious to see what Debian's numbers would be in
> > comparison.
>
> Visit http://www.securityfocus.com/vdb/stats.html and see for
> yourself.
>
> But, while you are there, take a look at the number of reported
> vulnerabilities for (e.g.) OpenBSD during 1997 vs. 2001, and
> then ask yourself if you really believe that OpenBSD circa 1997
> is more secure than OpenBSD circa 2001. Do the same thing for
> the various versions of Linux too. If you (mistakenly, IMHO)
> equate lower numbers with being more secure, then you'll find
> that the most secure version of Debian (or Red Hat) existed in
> 1997 and things have gotten steadily worse since! (The year 2001
> numbers are better than the year 2000 numbers for both OSes, but the
> year isn't over yet.)
>
> In other words, take these numbers with a grain of salt.
absolutely. You also have to consider the user base, reporting
accuracy, exposure, etc.
I would contend that any given package will start out with some bugs,
tapper off, then as the project gets over complex and/or old the bugs
typically begin to go up again. When releasing a major revision you
tend to start the cycle over... That has been my experience and
observation. Now for which is the most secure: by what and whose
criteria?
EBo --