� Vulnerability statistics for Mac and Windows | George Ou | ZDNet.com
No matter what some people may say, vulnerability ratings from Secunia are a valid measurement of security risk. If we can't count the number of actual security vulnerabilities (with severity and patch status in mind), what can we count?
No matter what Ou says, things aren't necessarily this black-and-white.
Secunia is a research organization, so the vulnerabilities it uncovers are quite possibly directly proportional to their knowledge of the systems they're examining. Do the numbers suggest that Mac OS X is less secure than Windows XP, or that Secunia has a more intimate knowledge of open, UNIX-like systems (since, after all, Mac OS X has FreeBSD at its core)?
Moreover the timeframes for these comparisons have an effect on the conclusion. Windows XP was released in 2001, and has had only two Service Packs since. In that time, Mac OS X has undergone five major updates, including two in Panther and Tiger which have brought substantial changes. My question is: would it be more appropriate to compare two pieces of software over similar time frames during the same stages of their respective release cycles? That would mean comparing vulnerability reports for the first 12 months of Windows XP SP2 against the first 12 months of Mac OS X 10.4, for example (and not just a snapshot of the last 12 months)?
Perhaps part of this is Mac (and UNIX-derivative bias). I happen to think that Mac OS X, by virtue of the FreeBSD underpinnings, is inherently more secure than Windows XP for a number of reasons (drivers not being installed in kernel mode, a generally reasonable privilege model, the lack of an all-powerful embedded scripting engine, etc). But my major motivation is the fact that quoting security advisory numbers is a dangerous abuse of math; a kind of "damned lie." Advisory services aren't canonical repositories of objective truths, they're businesses. They're limited by their perspective, bias, and resources in how much they can know.
