More on the Security X-Factor: Vista beating Linux, XP, and Mac
Technorati Tags: Security , threat modeling
NOTE: this post is essentially a comment to this post here. By the time I was finished, the comment was so long I figured I'd just make it a post in it's own right. :-) -John
Wow! Well, I appreciate when people make the effort to express themselves on this blog, whether the comments are positive or negative. I believe it's important to be open to criticism -- and this blog is no exception. Of course, that doesn't mean I always agree with the comments! But that's one of the great things about blogs -- you can really get multiple sides of an issue, and hopefully everyone learns something along the way.
In this case, I'd like to make a few general observations:
Security is a complex, multi-faceted issue. There's no single view on the topic of security that by itself is complete. This fact doesn't make the individual views any less valid. Jeff chose to look at vulnerabilities discovered in the first 6 months each OS was GA. Is that a complete 360 degree view of the topic? No. Is it part of a full view of the topic? Yes.
Why look at just the first 6 months? Well, because Vista has only been GA for about 6 months. If you look at all vulnerabilities discovered over the life of an OS from GA to now, it's still only 6 months for Vista and it’s a lot longer for the other OSes -- 5+ years for some of them. That doesn't seem like an especially useful exercise.
And why not look at just the last 6 months? Well, think of it similar to the JD Powers' Initial Quality Study (IQS). The IQS scores measure the number of things that bother the customer about their new vehicle in the first 90 days of ownership. Doesn't matter what time of year, or even what year, a model is released -- IQS is always the first 90 days of ownership. IQS scores show, for example, that the industry as a whole is improving the initial quality of vehicles over time. That is, scores have trended lower (which is better) over the years. Additionally, cars, like OSes, benefit from continuous improvement, generally getting better as the model ages. Comparing products at different points in their lifecycles is ok at times, and comparing them at equivalent points in their lifecycle is also definitely useful.
BTW, when a new vehicle model is introduced with very good IQS scores, it's a testament to excellent design, engineering, and launch practices. In the software world, the same is true. Big improvements at launch don't always happen, and when they do, it can suggest foundational improvements in organizational capability. In the case of Vista, I think it suggests that the great security processes within Microsoft's SDL really work. I believe Vista is the most secure OS that Microsoft has ever released, and the SDL is probably one of the biggest reasons why.
One impact from a more secure OS is likely to be more hackers targeting applications. In some ways, this is the real story here. The threat modeling really is valuable, and I encourage you take a look at it.
Net-Net: there are many ways to measure security, and Jeff chose one for his comparative report. It's a valid contribution to understanding an important part of the complete security picture around the various desktop operating systems out there today. Jeff's work suggests Microsoft's approach to designing security into its products is very effective. (BTW, the SDL is for all Microsoft software -- not just OSes.)
Whether you agree or disagree with this or other posts, I invite readers continue submitting comments and also to color the commentary with some evidence, which can help us all learn something. And please take a look at threat modeling. :-)
Comments
- Anonymous
July 15, 2007
Rosyna, Thanks. I think you have a good point when you say that just because vulns haven't been discovered doesn't mean they don't exist. Of course, it's much easier to measure / count them once they are discovered, and it's very difficult to prove something doesn't exist. This holds true for all software, and is another reason that the Microsoft's Security Development Lifecycle (SDL) is so important, because with this process security is rigorously designed in - so many more vulns are prevented vs. discovered and fixed. This is part of the reason why I'm optimistic about Vista's security. Re: vulns being mostly theoretical, this is a comment I've heard a number of times. The logic usually being that XP presents a more attractive target to hackers because it's widely used. It will be interesting to see if this becomes less true over time, as OS security continues to improve. For example, as Vista deployments grow, will hackers look somewhat more often at other OSes as comparatively easier targets? Time will tell. Either way, security researchers will continue to find and fix vulns in all OSes. This is why I also recommend looking at the timeframe from vuln discovery to patch availability as an important metric. Given that available patches are not always deployed immediately, signing up with a free patch service like Windows Update is often a good idea for many folks.