Jeff Jones announces in his blog at CSO Online that he will be publishing a monthly Operating System Vulnerability Scorecard. He has published also a description of the methodology, sources and assumptions.
The Scorecard will have different sections on workstation (Vista, Windows XP SP2, RHEL4 Workstation, Ubuntu 6.60 LTS, and Mac OS X) and server (Windows Server 2003, RHEL 4 AS, and Sun Solaris 10) operating systems. Jeff is careful to specify the kinds of packages and components that will be taken into account.
The results for “Year to date 2007″ (that is, January + February) are the following:
Of course, there is an important caveat. “Level of risk” is not the same as “number of vulnerabilities”. In the words of the author:
Security professionals will correctly note that vulnerabilities represent only part of the security picture, with the risk equation also needing an understanding of the potential threats and value of the information at risk. However, number and quality of attackers are elements largely orthogonal to factors that vendors have ability to influence. Vulnerabilities, on the other hand, are a factor that vendors can influence directly by investing in process, testing and other best practice Q&A techniques to reduce bugs and raise quality of shipping products.
Jeff is a Microsoft employee. Read his post titled “Exactly how biased am I?”
0 Responses to “Operating System Vulnerability Scorecard”
Leave a Reply