image Hackers successfully compromised the Apache.org servers this month and it has given me food for thought.

If you are working to improve software security, then you have to take the (risk) viewpoint that at some point, attackers will target one of your users and attack the software as an avenue of access to information they want.  Put another way, we don’t have control over attackers, so the only thing we can try to make better is the security and resiliency of the software itself.  This means that I look at software-focused metrics like publicly disclosed vulnerabilities, design flaws, etc, to tell me if the security and resiliency of the software is getting better or worse.

However, outside of the teams trying to develop products more securely, there is a frequent conversation that differentiates between:

  • security and resilience of the software, and
  • safety of the users of that software

Why?  Take Windows 7 and Mac OS X security as a discussion point and look at a few recent articles.  You can see that security researchers sometimes emphasize one position over the other:

Looking at the latter, several security pros were asked “Which is more secure, Mac or PC?”

Rich Mogull of Securosis says the same as Charlie Miller in the other article:

"Microsoft has done more in terms of its inherent security features than Apple has in the operating system. All of that said, Microsoft gets attacked a lot more than Apple does. Right now your odds of being infected as a Mac user by malicious software are quite a bit lower than a Windows user, unless you do stupid things."

On the other hand, Tyler Reguly of nCircle says:

"If you believe the hype and the flashy commercials the answer would be Mac. But if you take a look at the two platforms, and the mindsets of the companies behind them then the PC wins hands down."

Tyler (to me) seems to be answering the question of which software is better designed and implemented from a security perspective, rather than expanding the question to include safety of the users. 

A common theme from the security pros was best summarized by researcher Nitesh Dhanjani:

"I realize the market share argument is a cliche, but I feel it is true--OS X wins from a security perspective because it has a lower market share. Windows Vista and Windows 7 have some impressive security controls that are not present in OS X. If we were to flip the market share, we would see a lot more exploitation in the wild. More specifically, browser security is one of the more important items to consider today from a risk perspective.


Ultimately, this comes back to something we’ve been saying for a while.  Security of software is an industry problem. 

Here is the key point.  Less likely does not equal zero in most cases.  It really makes me recall the points made by Martin Hellman on the RSA Crypto Panel two years ago with respect to high impact, low probability events.

While certain types of indiscriminate nuisance attacks may be less likely on certain platforms, unless you have nothing of value, then you will face an attack someday – and you do have something of value, all of your personal information at the very least.

So, I close with where I started.  If you are working to improve software security, then you have to take the (risk) viewpoint that at some point, attackers will target one of your users and attack the software as an avenue of access to information they want.  We don’t have control over attackers, so the only thing we can try to make better is the security and resiliency of the software itself.