Re: Graphing: Don't believe everything you see.

["Robert E. Lee" <robert () dyadsecurity com>]

George Ou wrote:
> Take a look at Microsoft SQL 2005 and you'll see that's been ROCK 
SOLID with
> ZERO vulnerabilities.
> http://secunia.com/product/6782/?task=advisories
> Compare that to the mess of Oracle over the same time period.
>
> So let's not base our analysis on some stupid trumped up diagram and 
let's
> not make stupid generalizations about platforms.  Let's try and be 
objective
> and factual.

In the spirit of "[silly] generalizations"....  the number of
vulnerabilities publicly disclosed for a product doesn't seem to be a
valid metric for measuring security between products. There are different
disclosure policies for every organization/product.  Some applications
are just going to get more attention than others.

Closed source vs Open Source changes the methods available to an outside
researcher for testing.  For results to be compared, the same tests have 
to be run
equally for both projects.

Comparing the end result (vulnerability count) without taking into account
how we got to the end result (testing methodology) reminds me a bit of:

"If... she... weighs... the same as a duck,... she's made of wood. And
therefore? A witch!!!"

Cheers :),

Robert

-- 
Robert E. Lee
Chief Information Officer
http://www.dyadsecurity.com

phone: +46-708-474-320
fax  : +46-0455-13960
email: robert () dyadsecurity com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave