Apple: bigger problem, less excuse? Or same problem, same excuse?

Posted by in Analysis on Jul 12, 2010

Folks out there know I’ve been critical of Apple when it comes to product security.  I’ve criticized Apple on two counts primarily:

  1. #1) for giving the user base (particularly the non-technical user base) a false sense of security
  2. #2) for  stacking up poorly relative to the competition on response time to fix vulnerabilities

What’s interesting to me about the discussion is the degree to which the popular wisdom continues to persist in light of data directly to the contrary.  Apple still continues to beat on its “better security” marketing drum, despite the fact that they are almost always slower to the table on issuing patches – sometimes by a factor of more than 100%.

But today, we get another data-point that suggests that Apple isn’t all that their marketing would suggest from a product security perspective.  Secunia published their 2010 half-year report where they spell out how vendors compare relative to each by mining publicly-available vulnerability data.  And, in what might come as a little bit of a surprise to some, Apple is #1: meaning, they have the most bugs – just ahead of Oracle (number 2) and Microsoft (number 3).

This is a good data point in and of itself.  Now, you can’t conclude necessarily on this alone that Apple’s security is any worse or better than the others, but it’s useful to note.  However, I think there’s potentially another question to ask from the same data-set.  Specifically, what would we expect the size of the discovered vulnerability pool to be given the size of a vendor’s particular product portfolio?  In other words, if we normalize the data to come up with a “average number of vulnerabilities per product”, how would the vendors fare?

The Secunia report doesn’t answer that, and  I don’t know that we can either.  But going by instinct, I think we can maybe put up some blurry speculation.  My contention is this:

Premise #1: The list represents the sum total of all a vendor’s products
Premise #2:  Apple has fewer products represented in the list
Conclusion: Apple has more vulnerabilities per product relative to peers

If both premises are true, the conclusion has to follow.  But are they true?

Premise #1:  Are these vulnerability numbers aggregate across the complete product set? The report doesn’t say it in a way that’s unambiguous, but it comes darn close:

To gain more insight into the security ecosystem we identify the group of the ten vendors with the most
vulnerabilities (in all their products) in any given year.
Note where it says “all their products”.  This leads me to conclude that they are analyzing the complete catalog of products per vendor.

Premise #2 is where it gets speculative.  What we would expect the size of the product profile to be?  While Apple has some prominent user-facing technologies (Safari, QuickTime, iTunes, and OS X – all very popular technologies), both Microsoft and Oracle have a large number of “behind the scenes” technologies – for example, server platforms and middleware.  Microsoft has the Office product line while Oracle has their database line, their OS line (don’t forget about Solaris – still in use), and everything related to Java.  It seems like the product catalog is bigger…  but I don’t think we can say for certain that it is.  Somebody would need to go through the list of vulnerabilities and see how many products are represented and put out a per-product vulnerability metric.

Just some food for thought…

Search
TwitterRssFacebook