Returning to The Unbearable Triteness of CVE League Tables and Graham Cluley’s subsequent article Don’t Believe Headlines That Claim OS X Was The “Most Vulnerable” Software of 2015, Bruce Schneier describes the brief commentary by Emil Protalinski for Venturebeat as ‘interesting analysis’. Well, it does point out the methodological weaknesses already noted. Schneier goes on to suggest that there is room for discussion on how enumerated vulnerabilities relate to the security of the software affected, but helpfully suggests that ‘nobody knows’ the answers to his questions.
I think the point is that there has been so much commentary on the original article on CVE Details that seems to assume that it’s perfectly OK to measure the security of an operating system by the number of reported vulnerabilities. I don’t say that it’s impossible to compare operating system security by analysis of ‘the nature of each vulnerability, links or at least suitable search terms for looking at the detail of the vulnerabilities, and information on how responsive the companies behind the software were in each case…’ (Sorry, I’m quoting myself again.) Whether such analysis would be accurate is a different question, and in any case I can’t say I’ve seen anything that offers a serious attempt to go that route. So perhaps Schneier is right, and nobody knows. But that doesn’t mean it’s unknowable.
Just a thought.