lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 10 Jul 2006 11:50:54 -0600
From: Bob Beck <beck@...h.cns.ualberta.ca>
To: Darren Reed <avalon@...igula.anu.edu.au>
Cc: bugtraq@...urityfocus.com
Subject: Re: LAMP vs Microsoft




> If the number of vulnerabilities is graphed over time, is either
> heading down or both heading up or...?
> 
> - I'm not asking for a "who's better", I just want to know if
> anyone has a good set of numbers and if they're graphed for easy
> comparison.
> 
> 
> p.s. LAMP = Linux/Apache/MySQL/PHP
> 

	Yes, but what are you hoping to prove with those numbers. I think all
you're demonstrating is what things get more attention, likely due to
their popularity, so they make a more interesting target.  I.E.  just
because you don't find hardly any vulnerabilities for web apps
deployed using ANFC (ANFC == AIX, NetCat, Flat Files, and C (please
sir can I have another..)[1]) doens't mean those that are aren't rife
with them. 

	It's like all the people running around running OSX thinking
how secure it is because there aren't many published vulnerabilities.
Don't get me wrong, I actually do believe security through obscurity works
(OSX is living proof). but I don't think the numbers you are suggesting 
will mean much.

	Just from what I've "seen" I'd guess they were comparable.  What does
that mean? well, pretty much web applications under Windows or LAMP
appear use the same development model for much of their code - first
to market with coolest features the fastest. Quality is an
afterthought to be dealt with in patches or future releases, which
means security is a further afterthought.  Do I like running either?
No.  The graph numbers end up just being nutritionless fodder for
trolls and management. 

	-Bob


[1] Yes, I have seen an ANFC used for real [2]
[2] Yes, it had a hole.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ