Saturday, April 15, 2006

Cisco Humbled by Security Breaches

Security

My primary thesis about computer security is this:

There is no such thing as a platform or development model that is inherently more secure than other competing platforms or models . Open source software is not more secure than Windows by virtue of the development model. I assert that platform security is a perception that is in large part related to ubiquity in the marketplace.

Windows has a very high level of ubiquity and therefore presents a greater attack surface and has higher rates of exposure. Consequently, people may perceive that Windows is insecure. For example, at Secunia.com, there are 518 security advisories.

However, for the Amiga platform, there are no security advisories and 6 known viruses.

Could we conclude that the Amiga platform is more secure than Windows by the comparatively lower numbers of security issues? Of course not. Amiga is an enthusiast's, niche platform that has nearly zero market acceptance. It's lack of security issues is due in part to its lack of ubiquity and also its lack of functional sophistication in comparison to meaningful platforms like Windows and *nix.

Cisco's recent security woes support my thesis. Network security is a fundamental aspect of Cisco's business. Their products are all about securing and distributing network traffic. Security is a development focus.

And yet, their products have had security lapses in the past. Why is there not the same level of backlash against Cisco as there is against Windows regarding security issues? One could argue that a security vulnerability in Windows XP affects a workstation (or potentially multiple workstations) but a vulnerability in a firewall or router exposes an entire network.

My point is not to trash Cisco but to provide more evidence to debunk the open source zealotry that asserts that the OS methodology in general and the Linux platform specifically are inherently more secure than other platforms.