Header Ads

Windows, MacOS or Linux, which is more secure?

Since the beginning of the computing age, various Operating System devotees have waged war against each other over why their preferred OS is the holy grail. The debate has ranged from such topics as performance to ease of use and sometimes gets anchored in security. Some devotees would claim their flavor of OS is immune to viruses or other security vulnerabilities. The question that confronts any would-be umpire is that of whether there is any factual way to adjudicate such debates.
One common method disputants use is to head over to the common vulnerabilities and exposures website and just pull up data showing which OS has the most Vulnerabilities, see a screenshot below.



While others choose to look at the statistics for the current year to use as evidence that their preferred OS is more secure.




Unfortunately, neither of these methods can actually tell us what we need to know due to certain limitations in using CVEs to compare competing products. These limitations are there because of certain methodologies used by researchers, vendors and the background assumptions maintainers of vulnerability databases make when cataloging vulnerabilities. 
For instance, certain researchers might focus on a particular OS while leaving out others and if there are a lot of researchers focusing on a particular OS, then definitely that OS will have more vulnerabilities disclosed. Then on the side of the maintainers of the vulnerability database (VDB), they might focus on only a handful of researchers. What this means is that some vulnerabilities will not get coverage as the researchers that disclosed them are not in the selection pool of the maintainers of the vulnerability database.

Another issue is that since it is the researcher who gets to decide how much time they are spending on a product and what type of vulnerability they are interested in it, this ultimately affects what gets published. Then on the side of the VDBs, they might discover a researcher’s disclosure but decide not to publish the vulnerability due to some of their own internal criteria.

Also, how VDBs assign identifiers to vulnerabilities might affect the number of vulnerabilities recorded for a certain product. The same 10 vulnerabilities may be given the same identifier by one database, and 10 identifiers by a different one.

The foregoing just goes to show how difficult it might be to assign a security rating to on operating system based on vulnerabilities disclosed. The bottom line is when it comes to the security aspect of the battle of the OSes, you should take whatever you hear from a faithful with a pinch of salt.

2 comments:

  1. Application Verification and Control

    ReplyDelete
  2. I like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... Serious Security Melbourne

    ReplyDelete

Powered by Blogger.