In the recent Risk Report: A Year of Red Hat Enterprise Linux 4 in Red Hat Magazine, Mark Cox defined an interesting new security metric, the Workload Vulnerability Index, that provides a weighted measure of the impact that ongoing security vulnerabilities have to those doing patching.  Here is how the report defines it:

This vulnerability workload index gives a measure of the number of important vulnerabilities that security operations staff would be required to address each day. The higher the number, the greater the workload and the greater the general risk represented by the vulnerabilities. The workload index is calculated in a similar way to the workload index from NIST [3].

For a given month, Vulnerability workload = ((number of critical and important severity vulnerabilities published within the last month) + (number of moderate severity vulnerabilities published within the last month/5) + (number of low severity vulnerabilities published within the last month/20)) / (days in the month)

Note that the weighted value is divided by the number of days in the previous month, so that the equivalent to 60 Critical and Important vulnerabilities over a 30 day period would come out to a WVI value of 2.0, as happened to Red Hat Enterprise Linux 4 Advanced Server (RHEL4AS) in the first month of availability.

In the chart above, I have applied Mark's methodology and formula to Windows Server 2003 (WS2003) during its first year of availability and then charted the RHEL4AS and WS2003 side-by-side over their first year.  Interesting, no?

  • WS2003 has 4 months with a VWI of zero
  • WS2003 has 10 months with a VWI of 0.1 or less
  • The worst month for WS2003 is still better than 9 of the RHEL4 months

Other observations are left up to the reader...

Jeff