Security Report From Aberdeen Group

I was pointed to a new report from the Aberdeen Group: entitled Open Source and Linux: 2002 Poster Children for Security Problems (requires free registration to read the full report) by Aamir

It’s interesting that the report never seems to come out and clearly say exactly who the poster children are. It mentions “Security advisories for Open Source and Linux software accounted for 16 out of the 29 security advisories”. But then goes on to say “Keeping pace with Linux and Open Source software are traditional Unix-based software products, which have been affected by 16 of the 29 advisories”. So that’s 16 out of 29 for Linux & Open Source and 16 out of 29 for traditional Unix!

Hmmm. It doesn’t seem to mention the combination of Windows and Open Source which was also affected by, for example, the last two Apache security advisories.

Interestingly, it doesn’t mention the fact that most Linux distributions ship with at least 1000 more applications than Windows. More applications means more bugs (including security related ones).

It doesn’t mention anything about the response times to get these vulnerabilities fixed. I am on about 8 security mailing lists, and I see how fast these things are reported, and how fast the fixes are released. Often within a couple of days.

It doesn’t mention the fact that security issues and bugs are found much more quickly and easily in Open Source software simply because you can see and examine the source code. It also fails to mention that it is equally as quick to fix them for the same reason.

It then quotes some much more alarming statistics about incidents (occurrences of the same vulnerabilities), but fails to assign any OS or development model labels to the numbers.

“One of these realities is that no one vendor or supplier is more at fault than another.”

Funny I didn’t get that from the headline.

“Moreover, the scourge of past days, viruses, has been replaced by active Internet content that worms its way into any Internet-aware software utilities and services”

and we all know which Internet-aware software suffers most from this don’t we? IIS, IE, and Outlook.

BTW, This is the same company that published a report attacking the Athlon XP’s processor rating system, which it turned out was funded by Intel. Stories on ZDNet and slashdot.