Jump to content

Microsoft Scores Well On Security Analysis


Recommended Posts

Posted

Microsoft scores well on security analysis

By Rob O'Neill

October 12, 2004

next_secure2_oct12,0.jpg

Microsoft's performance on security may not be as bad as it is painted, according to an analysis of vendor security advisory notices issued over the past month.

US-based website Secunia logs security advisory notices issued by more than 700 hardware and software vendors, listing each with a severity rating and link to details of the notice and patches. Next analysed these listings last week to understand which vendors or developers were issuing the most warnings.

Contrary to much industry press coverage, however, Microsoft only just makes the top 10.

The analysis, covering September and the beginning of October, shows developers of open-source systems (systems released under a special licence, which - among other provisions - allows free access to the source code of programs) releasing far more security advisories than traditional software vendors.

Different vendors report their vulnerabilities in different ways, and some can be reluctant to report them at all. Oracle, for instance, issued only one advisory in the period studied, according to Secunia.

However, that one advisory covered multiple security issues - 22, in fact - that would have promoted the company to second place if each of these were reported separately, as do both the open-source developers and Microsoft. Microsoft in each notice then goes on to list the products that are affected by that vulnerability. Sometimes that list can be extensive.

Con Zymaris, spokesman for Open Source Victoria, says comparisons based on the number of notices released is invalid as the main open-source vendors each supply an "order of magnitude" to more applications than a company such as Microsoft.

Linux application developer Gentoo, for instance, produces "10 to 20 to 30 times" the number of applications Microsoft produces, Zymaris says.

"Debian has 10,000 software packages," he says. "Even a smaller system like Red Hat has 450 to 500 applications."

Zymaris says the period covered in the analysis should also be expanded as Microsoft tends to issue its notices in groups.

However, a scan of advisories issued in August does not reveal a number from Microsoft that would significantly change the initial findings.

Ben English, Microsoft Australia's security spokesman, says the company's own intelligence would confirm the results. Microsoft relies on a report from international analyst firm Forrester Research, which, he says, also shows Microsoft had fewer vulnerabilities.

"Microsoft has the fewest absolute vulnerabilities and the lowest number of severe vulnerabilities," he says.

English says there are other factors that should be considered, such as responsiveness.

He says the Forrester report shows Microsoft responding twice as quickly as open-source vendors.

"Numbers are numbers," he says. "We will not be happy until we get as near to zero as we can."

Zymaris says the advisory notices represent only the problems vendors publicly acknowledge, though he does concede Microsoft has lifted its act on this in recent times. In 2002, in answer to a similar comparison of Windows against the Red Hat flavour of Linux, Zymaris concluded that the process was pointless. However, even on the figures presented, it could be argued Linux was much more secure than Windows."

When one does a quick and dirty calculation," he wrote at the time, Linux "can be viewed as being 20 times more secure than Windows (in that) it ships with 20 times as much material but releases approximately the same number of security alerts as Windows."

Nevertheless, on the figures seen here, over the past two years Microsoft appears to have drastically reduced the number of advisories it issues in comparison with many other vendors.

English says over the past three years Microsoft has implemented a program called the Secure Development Lifecycle.

This involves rigorous testing of software to ensure vulnerabilities are fixed before the software is released. So far the only version of Windows to go right through that process is Windows 2003."

It is a journey," English says. "We have had significant reductions in the number of vulnerabilities since we started and are pleased with the process."

The Forrester report, released in March, collected a year's worth of data and concluded that Microsoft software and that of four key opensource Linux distributions could be deployed in business securely. That research looked at vendor responsiveness to security issues, thoroughness of fixes and the severity of vulnerabilities.

Posted

francois is trying to get his star office to open ...

\root\dev\0_ahc\staroffice\what\a\long\command\line\typing\my\fingers\to\much\office.tar

#!/bin/bash

if [ "$1" != "" ]; then

echo "Positional parameter 1 contains something"

else

echo "Positional parameter 1 is empty"

fi

What the F*** :o:D:D

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...