Posted by: David Harley | January 12, 2016

Vulnerabilities, Security and the Limits of Knowledge

Returning to The Unbearable Triteness of CVE League Tables and Graham Cluley’s subsequent article Don’t Believe Headlines That Claim OS X Was The “Most Vulnerable” Software of 2015, Bruce Schneier describes the brief commentary by Emil Protalinski for Venturebeat as ‘interesting analysis’. Well, it does point out the methodological weaknesses already noted. Schneier goes on to suggest that there is room for discussion on how enumerated vulnerabilities relate to the security of the software affected, but helpfully suggests that ‘nobody knows’ the answers to his questions.

I think the point is that there has been so much commentary on the original article on  CVE Details that seems to assume that it’s perfectly OK to measure the security of an operating system by the number of reported vulnerabilities. I don’t say that it’s impossible to compare operating system security by analysis of ‘the nature of each vulnerability, links or at least suitable search terms for looking at the detail of the vulnerabilities, and information on how responsive the companies behind the software were in each case…’ (Sorry, I’m quoting myself again.) Whether such analysis would be accurate is a different question, and in any case I can’t say I’ve seen anything that offers a serious attempt to go that route. So perhaps Schneier is right, and nobody knows. But that doesn’t mean it’s unknowable.

Just a thought.

David Harley


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: