Posted by: David Harley | January 4, 2016

The Unbearable Triteness of CVE League Tables

Or, the pointlessness of trying to measure ‘insecurity’ of a platform by the number of vulnerabilities reported to have been found in it.

CVE Details reports in its figures for the Top 50 Products By Total Number Of “Distinct” Vulnerabilities in 2015 that Apple tops the table with OS X, with iOS in second place.

For The Register, Richard Chirgwin points out methodological weaknesses in the scoring, while pointing out the futility of assuming that more advisories = more vulnerable.

In fact I covered similar ground last year in a blog for ESET, though in that instance I was commenting on an article by GFI on Most vulnerable operating systems and applications in 2014, the article being based on similar data from the National Vulnerability Database. Sorry, but I’m going to quote myself at length:

… Once upon a time … I owned a … Victorian villa in the English Midlands. Given its age and its nearness to both a busy railway station and to fluvioglacial landforms, it’s unsurprising that, like many houses in the area of a similar age, its external walls had been strengthened at some point by inserting tie rods. When the time came for us to leave the area, we got a certain wry amusement from potential buyers who would try to beat us down on the price because they’d noticed the anchor plates signifying the presence of tie rods. If you’re thinking of buying a house in an area like that, might you not actually prefer to buy one where that reinforcement had already been done?

In the same way, it seems inappropriate to me to encourage the lay reader to measure the security of an operating system by the number of reported vulnerabilities. Perhaps if there’d been more information than is given in this case about the nature of each vulnerability, links or at least suitable search terms for looking at the detail of the vulnerabilities, and information on how responsive the companies behind the software were in each case, the article would have been more useful. I appreciate, of course, that such a level of detail would have required considerable effort, but I’m sure it would have been appreciated by the ‘IT administrators’ who were addressed here.

As Chirgwin points out, it doesn’t make sense to suggest that an operating system is ‘insecure’ simply because it ‘is working hard to discover and fix its bugs, and to respond to bugs reported to it.’

David Harley

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: