George Ou has an interesting analysis of Microsoft OS vs Apple OS vulnerability counts. Anything comparing the security of these two companies becomes controversial. I think that any analysis of vulnerability counts should include a paragraph on risk vs. vulnerabilities to diffuse the Mac fanboys. I might be able to leave my backdoor safely unlocked (a vulnerability) in the suburbs of Boston in Concord, MA. I wouldn't do the same thing in Brooklyn, NY. Same vulnerability, different threat environment. Everyone readily admits that Macs have less risk on average due to their population and user base. This does not mean they are more secure. Move them into a high risk environment such as the hacker challenge at CanSecWest and they fall down. Just because there are no crackheads roaming around my neighborhood doesn't mean my house is secure if I leave the backdoor open.

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (1)

Kelly | November 9, 2009 10:34 am

thanks - nicely stated
I would like learn more about about risk vs. vulnerability and how the two are different. Our security team is scanning for vunlnerabilities and reporting it to management as risk - without considering the threat environment.
thanks -

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.