Advanced Meta Tag Generator <$BlogRSDURL$>
Microsoft demonstrated the lowest average “All day risk”, with 25, and fixed all the applicable flaws, but tied with Red Hat for first place overall.
Why? Because Microsoft needs to work on its percentage of high-severity vulnerabilities: NIST classified 67% of Microsoft’s vulnerabilities as high severity, placing Microsoft last among the platform maintaners by this metric.
In contrast, only 56% of Red Hat’s vulnerabilities were classified as high severity. Red Hat also fixed 99.6% - all but one - of the 229 applicable Linux security flaws. Debian, which had the lowest “Distribution days at risk” with 32, took third place, followed by mandrakesoft and suse. No platform maintainer will ever be able to eliminate all the vulnerabilities from its platform, be it commercial or open source. Does that mean that platform will never get any better than it is today? Hardly.
The next important step in improving platform security is to reward responsible disclosure. A discoverer of a security bug can reveal findings immediately to the public, or take the responsible route and disclose the flaw to the component’s maintainer privately and provide a chance to fix it first.
If maintaners and discoverers work together to adhere to responsible disclosure procedures, they can announce the problem and its solution silmultaneously. Coordinated release mean everybody wins - they drastically reduce the period during which attackers are most likely to exploit customers’ systems.
Responsible disclosure will then make scheduled security updates possible. Security flaws discoveries are inherently unpredictable, but update process don’t have to be. Predictable security updates trade possible increases in “All day of risk” for a schedule aroung which users can plan their patch testing and deployment processes.
However, scheduled security releases will only ease users’ patching workloads if discoverers continue to abide by responsible disclosure principles. Otherwise, users will still get stuck with large numbers of emergency bulletins