Secure Coding mailing list archives

security half-life and critical mass

From: securecoding2dave at davearonson.com (securecoding2dave at davearonson.com)
Date: Fri, 21 Jul 2006 19:43:43 -0400

Mark Graff wrote:

I have therefore often wondered if we should be talking, not about how 
"secure" a system is, in a static sense, but rather what its security 
half-life is.


Interesting point!

This reasoning leads me to the 
thought that Mac OS X, for example, is "more secure" than Windows XP for 
reasons having nothing directly to do with design or implementation, but 
rather pertaining to its very ubiquity. XP, in this sense, is the center of 
the bullseye.


This one however has been raised many times before.  Yes, if MacOS (or 
Linux or BSD or OS/2 or whatever) had a much larger market share, there 
would be many more attacks developed against it than now.  However, from 
all I've read (not having actually TRIED to attack it myself), it is 
indeed much more securely designed, implemented, and typically deployed, 
installed, and maintained, than Windows.  So, assuming equal market 
share, I predict that you'd have several times the viruses, worms, 
rootkits, etc. directed against Windows, simply because there are 
several times as many chinks in its armor, and, just as now, gazillions 
of times as many Windows machines actually broken into or otherwise 
damaged due to bad security, as Mac.

Gee, maybe software systems emanate a modicum of "unsecurity gravity", so 
that if you get a great many of them together (that is, if millions and 
millions of people buy the product), security plummets, and declines as the 
square of the distance to True Dead Center of the day's commonplace 
platform. Or, to put it another way, this is why XP sucks.


It's one factor.  If the market share figures were reversed, there would 
probably not be as many attacks written for it, and certainly there 
would be fewer worm-infected machines trying to attack other XP boxen. 
But it's far from the only reason.

----- Original Message ----- 
From: <sc-l-request at securecoding.org>
To: <sc-l at securecoding.org>
Sent: Friday, July 21, 2006 5:05 AM
Subject: SC-L Digest, Vol 2, Issue 124


Please trim your quoted matter to just what's necessary to give us a 
clue what you're talking about.  Google nettiquette.

-Dave

Current thread:

bumper sticker slogan for secure software, (continued)
- - - bumper sticker slogan for secure software John Wilander (Jul 21)
- bumper sticker slogan for secure software leichter_jerrold at emc.com (Jul 20)
- bumper sticker slogan for secure software Dana Epp (Jul 20)
- bumper sticker slogan for secure software mikeiscool (Jul 20)
  - bumper sticker slogan for secure software Crispin Cowan (Jul 21)
    - Cost of provably-correct code (was: bumper sticker slogan for secure software) David Crocker (Jul 21)
    - Cost of provably-correct code (was: bumper sticker slogan for secure software) der Mouse (Jul 22)
    - Cost of provably-correct code Crispin Cowan (Jul 23)
    - bumper sticker slogan for secure software mikeiscool (Jul 23)
- bumper sticker slogan for secure software Mark Graff (Jul 21)
  - security half-life and critical mass securecoding2dave at davearonson.com (Jul 21)