Secure Coding mailing list archives
security half-life and critical mass
From: securecoding2dave at davearonson.com (securecoding2dave at davearonson.com)
Date: Fri, 21 Jul 2006 19:43:43 -0400
Mark Graff wrote:
I have therefore often wondered if we should be talking, not about how "secure" a system is, in a static sense, but rather what its security half-life is.
Interesting point!
This reasoning leads me to the thought that Mac OS X, for example, is "more secure" than Windows XP for reasons having nothing directly to do with design or implementation, but rather pertaining to its very ubiquity. XP, in this sense, is the center of the bullseye.
This one however has been raised many times before. Yes, if MacOS (or Linux or BSD or OS/2 or whatever) had a much larger market share, there would be many more attacks developed against it than now. However, from all I've read (not having actually TRIED to attack it myself), it is indeed much more securely designed, implemented, and typically deployed, installed, and maintained, than Windows. So, assuming equal market share, I predict that you'd have several times the viruses, worms, rootkits, etc. directed against Windows, simply because there are several times as many chinks in its armor, and, just as now, gazillions of times as many Windows machines actually broken into or otherwise damaged due to bad security, as Mac.
Gee, maybe software systems emanate a modicum of "unsecurity gravity", so that if you get a great many of them together (that is, if millions and millions of people buy the product), security plummets, and declines as the square of the distance to True Dead Center of the day's commonplace platform. Or, to put it another way, this is why XP sucks.
It's one factor. If the market share figures were reversed, there would probably not be as many attacks written for it, and certainly there would be fewer worm-infected machines trying to attack other XP boxen. But it's far from the only reason.
----- Original Message ----- From: <sc-l-request at securecoding.org> To: <sc-l at securecoding.org> Sent: Friday, July 21, 2006 5:05 AM Subject: SC-L Digest, Vol 2, Issue 124
Please trim your quoted matter to just what's necessary to give us a clue what you're talking about. Google nettiquette. -Dave
Current thread:
- bumper sticker slogan for secure software, (continued)
- bumper sticker slogan for secure software John Wilander (Jul 21)
- bumper sticker slogan for secure software leichter_jerrold at emc.com (Jul 20)
- bumper sticker slogan for secure software Dana Epp (Jul 20)
- bumper sticker slogan for secure software mikeiscool (Jul 20)
- bumper sticker slogan for secure software Crispin Cowan (Jul 21)
- Cost of provably-correct code (was: bumper sticker slogan for secure software) David Crocker (Jul 21)
- Cost of provably-correct code (was: bumper sticker slogan for secure software) der Mouse (Jul 22)
- Cost of provably-correct code Crispin Cowan (Jul 23)
- bumper sticker slogan for secure software mikeiscool (Jul 23)
- bumper sticker slogan for secure software Crispin Cowan (Jul 21)
- bumper sticker slogan for secure software Mark Graff (Jul 21)
- security half-life and critical mass securecoding2dave at davearonson.com (Jul 21)