Skepticism called for on all vendor studies

Summary:Whenever I see a study I look at who sponsored it. Take this for example.

Whenever I see a study I look at who sponsored it.

Take this for example. It's a study from Security Innovation Inc.claiming Linux servers are less secure than those running Windows.

Are you surprised it was sponsored by Microsoft?

I wrote such papers in a previous life and believe it or not Microsoft will not let these things go out if they think the conclusions go too far.

But it's so easy to make numbers tell the story you want to hear. Check out the methodology, then ask:

  • Define a security vulnerability. Are they all equal?
  • Define days of risk. This study claims it's the time between public disclosure and an available fix. If I keep a risk to myself is it not a risk?

Mark Cox of RedHat is offering his own data sets and scripts to let you test the Sisecure conclusions against your own systems.

So, is this FUD, or is this factual? What's the security record at your shop? Let us know in TalkBack.

Topics: Security


Dana Blankenhorn has been a business journalist since 1978, and has covered technology since 1982. He launched the Interactive Age Daily, the first daily coverage of the Internet to launch with a magazine, in September 1994.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.