Apples, Oranges and Vulnerability Metrics

Common Objections - Comparing Linux Distros with Windows

Jeff Jones Security Blog — Mon, 29 Jan 2007 21:32:30 GMT

Once again, my effort to explore common misperceptions (more recently exploring unpatched statistics

Windows vs Linux - Workstation Comparison - Q3 2006

Jeff Jones Security Blog — Tue, 07 Nov 2006 22:03:33 GMT

NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather,

Red Hat and Windows - Defining an Apples-to-Apples Workstation Build

Jeff Jones Security Blog — Sat, 07 Oct 2006 01:07:57 GMT

Why Red Hat? As folks know who read my blog know, I normally utilize Red Hat as a proxy for Linux Distributions

re: Apples, Oranges and Vulnerability Metrics

Andrew — Thu, 20 Jul 2006 18:03:42 GMT

OK, so the Security Innovation studies did not use minimal installation, they used completely bare minimum? So there would be a lot less than 250 applications installed to run a webserver or database server. Obviously RHEL will have more applications because they have functions broken up a bit more, but the feature set compared is roughly the same?

It is just that the graphs you are showing in the other blog entry, (1st Half 2006), seem rather misleading, as while you did suggest that these are how the vendors wish to present their products (with more features), I think it is more a case of these vendors giving administrators freedom to choose. And it is trivial to uninstall the unnecessary applications from RHEL. That is why I thought the role based studies would be much more interesting.

One point I quite like though is, while people in certain places are quick to criticise the reports, they do not then want to continue the argument towards showing the "real" statistics. This suggests a lot. The evidence, I assume, should be fairly easy to gather. Actually that is a good point, where are the best places to find vulnerability statistics?

In terms of studies supporting Linux, all I see is one study that put a XP machine and a Linux machine on the internet unpatched around a time when there was a major worm problem with XP. That study is obviously completely flawed for multiple reasons.

re: Apples, Oranges and Vulnerability Metrics

Jeff Jones - MSFT — Thu, 20 Jul 2006 15:22:20 GMT

Andrew - no, that's not quite what I'm saying. What I'm saying is that if you go install Red Hat and choose "minimal" installation (the least you can do), then check afterwards, the minimal install still has over 250 "rpm"s installed. This is the package groups they label "core" and "base" plus a few other packages.

re: Apples, Oranges and Vulnerability Metrics

Andrew — Thu, 20 Jul 2006 07:28:03 GMT

Jeff, in those studies by Security Innovations, are you saying there are still over 250 applications installed in the minimal RHEL version? And you say, they are not required for the role? I thought the whole idea of those studies was to take that imbalance out of the equation by only using the applications on RHEL that are required to perform the role.