The “secure software” dilemma

It’s quite a dilemma when a software product is billed as more secure than another…. several days back when Mozilla Firefox released v. which fixed a number of security issues, I saw someone comment “I thought firefox was supposed to be secure.” I think there’s a misunderstanding when it comes to software. I think the misunderstanding is that one piece of software can be secure and another not. Out of the box. Let’s take a stab at clarifying…. Security is not a product, it’s not a feature, it’s a way of doing things. Along those lines….

Someone points out that linux is insecure. The point is very good, well taken and well done. The writer drives home the point by using cars as analogy. They say, linux is more secure than windows, (from the article) “If we were talking cars, Linux would be a Volvo S80 and Windows would be a Ford “Hit here to blow up” Pinto.”

The point though is that ANY car can be involved in a wreck, so a “secure” car doesn’t immunize you against a wreck. Driving practices CAN protect against a wreck though. The same is true with computers, secure PRACTICES can prevent security breaches. The same is true in the development of software such as firefox. Being responsive to security disclosures is one way that a software product can be considered “more secure” than another. From what I’ve seen, mozilla seems to be fairly responsive when they’re advised of security issues with firefox. I’ve seen anectdotal reports of a very sluggish response at Microsoft with similar issues. Some areas of the web seem to be filled with stories of “I reported xyz vulnerability to Microsoft xxxx months ago and they’re still investigating, so I’m disclosing publicly to “increase pressure” on them to react”.

Just because software is considered more secure, it’s not bullet proof, it will need updates and other safe working habits.

   Send article as PDF   

Similar Posts