US Cert numbers don’t really matter
I read the US Cert ‘year-end’ numbers. I’ve watched everyone and their mother hop up to defend the Open Source side of things…and, at the end of the day, it doesn’t really matter to me.
Here are my *feelings* regarding 2005.
1) There were more bugs; however, most of these were application bugs in 3rd party software that ran on top of the OS and many of the applications were downright marginal. I call these flaws ‘sourceforge newbie flaws’ (or r0t flaws). All in all, I feel as if 2005 was a better year wrt security.
2) It used to be that Windows was inherently insecure and Linux/FreeBSD/OpenBSD/etc were more secure. Now, I feel as if Windows is as secure as *nix. Back in the 90′s, I would spend more time writing a fuzzer than it took to run the fuzzer and find a flaw in Windows. All of the flaws were skin-deep. Now, the windows flaws are more deeply buried (ie much harder to find). It’s getting much, much harder to find flaws in Windows machines. Windows security *is* getting better and will continue to get better. At the same time, Windows functionality continues to grow in leaps and bounds. You can draw your own conclusions.
3) 2005 was a grace period for MAC users. Here’s a prediction, 2006 will be hard on the MAC.
4) Information Security is no longer an infant. The killer apps have been developed, marketed, and sold. What’s left is the ‘professionalization’ of Information Security. In the 90′s (and even into 2005), it wasn’t unusual for the Information Security team to play by a different set of rules (Cowboys?). We moved fast and loose in those days. Those days are, imo, dead and gone.