The operating system oriented security debate is restarted.
Please stop your child plays.
I read today an article on Wired News that restart the debate on Linux versus other operating system security issues. The conclusion is:
- 0.17 bugs per 1,000 lines of code in the Linux kernel
- 20 to 30 bugs per 1,000 lines of code for commercial software
These statistics have been collected by the Carnegie Mellon University’s CyLab Sustainable Computing Consortium. The problem with these numbers is that they tell nothing. Fine, theoretically I have less chances that my Linux kernel had bugs that cause security threats. It’s sure that there are chances that the core (open source) of an OS was more studied than the softwares he runs. It’s exactly the present situation.
What about all other things that come with all Linux distributions? Are they as studied as the Kernel? Let me doubts about it.
What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardwares is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices.
How can they resume computer security risks with lines of code? Is anyone can tell me this?