halos and security holism

A nice article about Fidelity and open source has two things that I find especially nice, in this one paragraph alone:

The Mozilla Firefox browser was an eye-opener, added Mike Askew, who also works in the technology center. A head-to-head comparison of Firefox and Internet Explorer showed that both had about the same level of security vulnerability, but ”the time needed to fix vulnerabilities in Firefox was much less,” Askew said. That experience led Fidelity to look at open source more intently.

First, I do quite like to hear that our success is making people look at other open source offerings more seriously. It’s not a primary goal for the project, but it’s one of the nice unintended consequences that we get as a bonus.

Second, I like to see people evaluating security characteristics of software in a more nuanced way than simple advisory or vulnerability count. Not all bugs are equal (as is perhaps obvious now, in the throes of the WMF vulnerability, though that’s not an IE bug), and even with severity weighting you are still faced with what are likely even more important questions. Chief among them might well be “how long am I likely to be exposed once a bug is found, or publicized?” If you believe that history is a useful, if imperfect, guide, then something like this vulnerability-window study might be of interest. If not, then you’ll have to do more research, which I very much hope you’ll publish.

3 comments to “halos and security holism”

  1. Humpty Dumpty
    entered 4 January 2006 @ 1:37 am
  2. entered 4 January 2006 @ 1:47 am

    The CERT study listed is a great example of why simply counting vulnerability reports is a risky practice. Not because it would seem to indicate that Linux has more security bugs that does Windows — it might well, for all I know; I’m not very current on that — but because it groups software pretty “misleadingly”. GNU Emacs and squid run on Windows as well as Linux, and the vast majority of Windows bugs listed seem to be in 3rd-party software that doesn’t get distributed with the operating system, and are therefore unlikely to affect the security of a given Windows user.

    “Misleading” is in scare-quotes because I don’t think it was the intent of the CERT list compilers that the raw count be used to compare the security of different operating systems, even on a single simplistic number line. Shame on them if it was, though.

    It’s also a great example of how the comment system can savage a raw URL, so I’ve taken the liberty of fixing it. (I should add a Preview button one of these days, mmmmmm….)

  3. entered 4 January 2006 @ 2:25 am

    [...] After my previous post about Fidelity and Firefox, Rafael pointed me at another article about Fidelity’s adoption of Firefox. A gem from that one, emphasis mine: Recently the center began testing the open-source Firefox browser, an alternative to Microsoft’s dominant Internet Explorer. Charlie Brenner, a Fidelity senior vice president in charge of the center, says the idea came from engineers in his department who were using it at home and liked Firefox’s advanced features, such as the ability to open new browser windows in tabs rather than in a whole separate browser, and its promise of being more secure from hacker attacks than Explorer. [...]