[Dailydave] Graphing: Don't believe everything you see.
Robert E. Lee
robert at dyadsecurity.com
Wed Feb 7 11:05:46 EST 2007
George Ou wrote:
> Take a look at Microsoft SQL 2005 and you'll see that's been ROCK
SOLID with
> ZERO vulnerabilities.
> http://secunia.com/product/6782/?task=advisories
> Compare that to the mess of Oracle over the same time period.
>
> So let's not base our analysis on some stupid trumped up diagram and
let's
> not make stupid generalizations about platforms. Let's try and be
objective
> and factual.
In the spirit of "[silly] generalizations".... the number of
vulnerabilities publicly disclosed for a product doesn't seem to be a
valid metric for measuring security between products. There are different
disclosure policies for every organization/product. Some applications
are just going to get more attention than others.
Closed source vs Open Source changes the methods available to an outside
researcher for testing. For results to be compared, the same tests have
to be run
equally for both projects.
Comparing the end result (vulnerability count) without taking into account
how we got to the end result (testing methodology) reminds me a bit of:
"If... she... weighs... the same as a duck,... she's made of wood. And
therefore? A witch!!!"
Cheers :),
Robert
--
Robert E. Lee
Chief Information Officer
http://www.dyadsecurity.com
phone: +46-708-474-320
fax : +46-0455-13960
email: robert at dyadsecurity.com
More information about the Dailydave
mailing list