osforge.com

Normally, I respect the news coming from The Inquirer, because Mike Magee tends to have very good access to a lot of people. I have to take issue with the report Software Vulnerabilities Still Dog Operating Systems though, because the report makes inappropriate conclusions based on a flawed measurement methodology. It does not take a rocket scientist to understand what I am about to say, so I hope the message is clear to all.

The article, which appears to have good intentions, is nonetheless based upon a false premise. That premise is that the number of vulnerabilities reported to an organization is equivalent to the concept of being trustworthy. The fact is that the author has made an extrapolation to a conclusion that simply is not possible in the light of logic. While I applaud the effort to expose vulnerabilities in any system so that they are corrected, I would say that the author is incorrect in assuming that the sheer number of reported vulnerabilities has any direct correlation to the inherent security of the underlying Operating System itself. This is known as assuming causality where no direct correlation can be proven.

From a simple scientific methods course, you would know that this is a case of assuming a correlation where one may or may not exist. Strong correlations may be implied, but you cannot say with exacting authority that the two will have any bearing on real-life. In other words, it may be the conditions under which the measurement was observed that influenced the reported outcome. To speak plainly, the conclusion was pre-conceived prior to the written article. The facts appear to be presented in such a way then to support the conclusion although they are truly meaningless to anyone who does support or work with a network.

If I say that the number of calls to my front desk is equivalent to a level of interest in my product, then you might agree that there is ?interest? if I tell you that I have received a thousand phone calls. However, I could be telling you a tall tale, a story if you will, for there might have been nine hundred and ninety-nine prank calls of hang-ups made to the front desk receptionist. That does not equate to interest in my product, at all.

So what I am telling you now, is to carefully sift through the presentation of the material for the facts when reading any document. The facts are there, but they are not being presented correctly. If we were solely to consider the number of reports of vulnerabilities as the measure by which to determine the vulnerability of a system, then this report would be valid.

However, if we are to take a far more critical look at the material being presented, the conclusions made do not pass muster. Ask anyone who runs any operating system which is more important to them: the number of reports of vulnerabilities, or the number of fixed vulnerabilities? Anyone who is charged with keeping their networks safe will tell you that the number of vulnerabilities merely announced is not the measure for securing a network. Rather, it is vulnerabilities that are corrected and/or patched that measure the success of a vendor in determining the future security of a network.

Where the Inquirer?s Euromole has missed the mark is simply in the act of determining a satisfactory measure for the effect of vulnerabilities. It is, after all, whether the reported errors are corrected that matters, not whether they are simply reported. I believe the author knows that, but I cannot tell for certain. I know that any sysadmin knows that fact, even at the most junior level. The only people who won?t know that, are people who have no experience within the IT market, or experience in keeping networks up, available, operating and as secure as they possibly can be. In other words, the author is not speaking to the professional crowd, but may indeed be speaking to the PHB class.

I really do not care what tool a person chooses for their needs ? I only care that they understand the truth of the matters presented. If Company A has 560 reports of vulnerabilities but fixed 560 reported vulnerabilities, then it is doing its job. If Company B has only 72 reported vulnerabilities, but only 35 are corrected, then it is not doing its job. Further, if Company B fails to inform the public of many of the known issues with its product (on the false-hope assumption that if you don?t know about it, it won?t exist), then who is really being served? It certainly does not serve the customer who relies on the security advice of Company B.

Another consideration that the article fails to take into account is the all-important time-gap measure of time to correct (TTC) reported vulnerabilities. This is important because it addresses the key problem with vulnerabilities: the Exposure Window. The exposure window is defined as the time between the announcement of a vulnerability and availability of a patch or corrective replacement. If that Exposure Window is small, it is an acceptable risk. If the Exposure Window is large, then systems become compromised and cascading errors are far more likely to occur. That measure has not been addressed in the Euromole article, nor is it even upon the radar screen.

That method of articulation is known as limiting the scope of the article to drive the point. It simply denies the existence of facts in an effort to keep the audience from having full access to vital information. This is largely why the discussion of security is best left to experts in the field. Determining accurate measures is not an analyst?s job, it can be more accurately discussed by those who are practitioners, not an armchair physician.

When you read such reports, please remember to question the conclusions. There are facts which flow logically from arguments, but leaping extrapolations should be questioned. I generally like The Inquirer, but I would have to say that this article does not do justice to the topic is purports to discuss.

That is my opinion, and it is free speech. As it is free speech, it is protected under the First Amendment to the Constitution of the United States of America. Now, just how is that un-American, bubba?