lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200607111106.k6BB6gVX004861@caligula.anu.edu.au>
Date: Tue, 11 Jul 2006 21:06:42 +1000 (Australia/ACT)
From: Darren Reed <avalon@...igula.anu.edu.au>
To: beck@...h.cns.ualberta.ca (Bob Beck)
Cc: bugtraq@...urityfocus.com
Subject: Re: LAMP vs Microsoft

In some mail from Bob Beck, sie said:
> 
> 
> 
> > If the number of vulnerabilities is graphed over time, is either
> > heading down or both heading up or...?
> > 
> > - I'm not asking for a "who's better", I just want to know if
> > anyone has a good set of numbers and if they're graphed for easy
> > comparison.
> > 
> > 
> > p.s. LAMP = Linux/Apache/MySQL/PHP
> > 
> 
> 	Yes, but what are you hoping to prove with those numbers. I think all
> you're demonstrating is what things get more attention, likely due to
> their popularity, so they make a more interesting target.  I.E.  just
> because you don't find hardly any vulnerabilities for web apps
> deployed using ANFC (ANFC == AIX, NetCat, Flat Files, and C (please
> sir can I have another..)[1]) doens't mean those that are aren't rife
> with them. 

I chose those two quite deliberately because I'm pretty sure they
both get pretty good attention from hackers.  Others have mentioned
use some other OS, etc - not interesting.

> 	Just from what I've "seen" I'd guess they were comparable.  What does
> that mean? well, pretty much web applications under Windows or LAMP
> appear use the same development model for much of their code - first
> to market with coolest features the fastest. Quality is an
> afterthought to be dealt with in patches or future releases, which
> means security is a further afterthought.  Do I like running either?
> No.  The graph numbers end up just being nutritionless fodder for
> trolls and management. 

What I'm looking for are trends.  Absolute numbers are uninteresting.

Or in other words, are people doing development responding (even if
it is delayed) to the number of vulnerabilities found ?

Are developers increasing the QA of their products in response to
increased vulnerabilities, leading to fewer in newer releases ?

And I think vulnerabilities disclosed are a much better indicator
of the changes to QA/development of products than any hyperbole
from those responsible (be it management or developers.)

I fully expect that both the Microsoft and Linux based platforms to
continue to be the most popular for web deployments and thus the most
interesting for hackers to target and vulnerabilities to be found.

What would concern me more here is if one platform was on the up
whilst the other was on the down.

Darren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ