home go links go books go opinion go gallery go projects go resumé go
about this site
archives
book reviews
"to read" list
tech books
search books
books archive
last 10 posts
quotes
cluetrain
cluetrain (mirrored)
randobracket
image auth
search engine hits
  hit history
indexer stats
user agent list
HTML (view)
  (most up-to-date)
MS Word (dl)
code examples
doesntsuck.com
doesntsuck.com

February 21, 2005

stupid security audit approach   (link)

http://www.securityfocus.com/columnists/299
More and more, we see articles questioning the security of a given platform based solely on the number of advisories published -- and this approach is simply wrong.

The quality of the software in question directly affects the number of advisories -- this should go without saying. Software with fewer security flaws will generate fewer security advisories. In a simple world, the number of advisories published by a given entity might be a direct indication of how secure that software is. But the reality of software and operating systems today is far more complex; many other factors affect the number of security advisories, which can be lumped into three broad categories: scope, policy of publication, and audit efforts. Let's look at each of these briefly.

Posted by yargevad at February 21, 2005 11:16 AM


This weblog is licensed under a Creative Commons License.