Skepticism called for on all vendor studies

Whenever I see a study I look at who sponsored it. Take this for example.

Whenever I see a study I look at who sponsored it.

Take this for example. It's a study from Security Innovation Inc.claiming Linux servers are less secure than those running Windows.

Are you surprised it was sponsored by Microsoft?

I wrote such papers in a previous life and believe it or not Microsoft will not let these things go out if they think the conclusions go too far.

But it's so easy to make numbers tell the story you want to hear. Check out the methodology, then ask:

  • Define a security vulnerability. Are they all equal?
  • Define days of risk. This study claims it's the time between public disclosure and an available fix. If I keep a risk to myself is it not a risk?

Mark Cox of RedHat is offering his own data sets and scripts to let you test the Sisecure conclusions against your own systems.

So, is this FUD, or is this factual? What's the security record at your shop? Let us know in TalkBack.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All