Advanced Meta Tag Generator <$BlogRSDURL$>
Measuring risk of Microsoft Windows and Linux
We measure responsiveness using two measures: “All day of risk” and “Distribution days of risk”
The “All day of risk” metric quantifies the platform’s actual vulnerability to attack bu measuring the number of days between the first pulic disclosure and the platform maintainer’s first fix for the problem.
Distribution day of risk compares the Linux distributor’s responsiveness. In the Linux world, distributors bundle together code from many sources - meaning there may be lag between the time a patch is issued for a specific component, and the time it is included in a distribution
“Distribution day of risk” quantifies the elapsed time between the first fix for the security hole by the maintainer of the component, and the first fix for the flawed component issued by the distributor.
We calculated separate values for the “Distribution day of risk” for several Linux distributions - Debian, MandrakeSoft, Red Hat, and Suse - and used the “All the day risk” value to Micorsoft.
We measure relatively severity - using criteria form the US Government’s National Institutes for Standards and Technology (NIST) - to account for the fact that some vulnerabilities are more important than others. For example, flaws that allow local computers to modify the high scores for games, are much less important than flaws that allow remote attackers to take complete control of your computer.
The thoroughness criterion asks the question, “How close do you get fixing 100% of public security flaws?”
There’s no credit for fixing 20% of vulnerabilities lighting-fast and ignoring the rest.
Forrester used the metric “Flaws fixed” to measure the platform maintaners’ thoroughness by calculating the applicable public security issues that the platform maintainer addressed. To evaluate Debian, MandrakeSoft, Microsoft, red hat, and Suse’s platforms based on those four metrics, we collected security vulnerability data for period between June 1 2002 and May 2003. we deliberately used old data in order to avoid providing attackers with more ammunition