1
00:00:00,770 --> 00:00:06,550
Persecutee features isn't all that matters when considering the security of an operating system.

2
00:00:06,680 --> 00:00:11,060
We care about what is our actual risk in the real world.

3
00:00:11,060 --> 00:00:17,420
So one way to consider real risk is to look at the amounts and severity of security bugs and vulnerabilities

4
00:00:17,430 --> 00:00:25,400
that operating systems have a history of to do that we are going to look at c v e details dot com which

5
00:00:25,400 --> 00:00:32,240
is a security vulnerability database containing most of the known security vulnerabilities for applications

6
00:00:32,270 --> 00:00:33,930
and operating systems.

7
00:00:33,980 --> 00:00:38,750
Have a look at CV details yourself now and see what the latest data is.

8
00:00:38,750 --> 00:00:47,060
If we look at the top 50 list here we can see the top 50 worst vendors which is what we're on now.

9
00:00:47,060 --> 00:00:52,910
And as of recording we can see Microsoft is at the top with its 12 products.

10
00:00:52,910 --> 00:00:55,480
These will mostly be operating systems.

11
00:00:55,490 --> 00:00:56,620
We've got Apple.

12
00:00:56,750 --> 00:01:03,730
We've got Linux and we've got Linux distributions here all in the top 10 and this is for all time.

13
00:01:03,830 --> 00:01:12,280
If we look at the 2018 we can see we've got Microsoft Debian which is a Linux operating system.

14
00:01:12,280 --> 00:01:15,760
Apple is still here for 2018.

15
00:01:16,120 --> 00:01:24,580
If you look at the top 50 worst vendors with c v s scores now the higher the score the higher the CBS

16
00:01:24,580 --> 00:01:28,480
number the more severe the vulnerability happens to be.

17
00:01:28,480 --> 00:01:33,850
So for Microsoft here we can see 2042 critical security vulnerabilities.

18
00:01:34,090 --> 00:01:43,330
So we can say we've got Microsoft Apple Linux and Linux distributions here or in the top of this list

19
00:01:43,650 --> 00:01:45,370
of critical security vulnerabilities.

20
00:01:45,370 --> 00:01:52,600
By the way would be something like a remote code execution bug where you can remotely take over a device

21
00:01:52,600 --> 00:01:56,150
by sending a specially crafted packet or data.

22
00:01:56,170 --> 00:01:59,180
So it's a Pants on Fire tight bug.

23
00:01:59,260 --> 00:02:07,540
If we look at the top 50 worst products we can see we've got Linux here on the OS Mac or Android for

24
00:02:07,540 --> 00:02:09,470
the mobile platform.

25
00:02:09,560 --> 00:02:15,940
I was on the mobile platform and the Linux distribution here and a Windows operating system all in the

26
00:02:15,940 --> 00:02:19,760
top 10 for products top 50 worst products.

27
00:02:19,930 --> 00:02:27,550
And if we look at the c v s scores we can see of course again Linux kernel Markov's Android iOS Debian

28
00:02:27,550 --> 00:02:33,920
Windows Server all the top 10 for products and all with critical security vulnerabilities.

29
00:02:33,970 --> 00:02:41,230
So what can we take from this data first all operating systems have security vulnerabilities and all

30
00:02:41,230 --> 00:02:45,600
operating systems have serious critical security vulnerabilities.

31
00:02:45,610 --> 00:02:50,350
So if someone is trying to tell you to move to Linux or Mac because that will solve all of your security

32
00:02:50,350 --> 00:02:51,220
problems.

33
00:02:51,220 --> 00:02:52,510
That's just a myth.

34
00:02:52,510 --> 00:02:53,780
Just look at the data.

35
00:02:53,860 --> 00:02:58,300
Other than that it's hard to take much more from this data.

36
00:02:58,300 --> 00:02:59,220
Why.

37
00:02:59,230 --> 00:03:02,820
Because there are many biases in how this data is collected.

38
00:03:03,070 --> 00:03:10,240
So for example researchers spend more time analyzing Windows simply because it's the most popular operating

39
00:03:10,240 --> 00:03:10,870
system.

40
00:03:10,930 --> 00:03:18,610
Mac and Linux will be less researched so there should be a bias to finding Windows security books more

41
00:03:18,610 --> 00:03:23,030
obscure versions of Linux will have much less research.

42
00:03:23,230 --> 00:03:26,090
So we should expect to see less security bugs.

43
00:03:26,170 --> 00:03:29,780
That does not mean there are less bugs in the operating system.

44
00:03:29,890 --> 00:03:32,550
It just means less have been found.

45
00:03:32,560 --> 00:03:39,020
Also security researches can get paid for finding security books called Book bounties which incentivizes

46
00:03:39,040 --> 00:03:43,810
security researchers to look at specific products and particularly they're not going to be looking at

47
00:03:43,810 --> 00:03:49,150
open source products because they tend to not have bounties offering money.

48
00:03:49,150 --> 00:03:56,120
Another issue a security bug could be recorded as a single vulnerability in one vulnerability database.

49
00:03:56,200 --> 00:04:01,920
And there's several vulnerabilities in another simply based on how it's classified.

50
00:04:02,110 --> 00:04:10,150
A bug in Windows could apply to many of Microsoft's operating systems which means as a vendor they might

51
00:04:10,150 --> 00:04:17,610
get 6 or so vendor vulnerabilities when it's really one bug for a single product or operating system.

52
00:04:17,620 --> 00:04:22,870
Also Microsoft and Apple do their own security testing so find their own vulnerabilities.

53
00:04:22,870 --> 00:04:28,240
So in this case it's good to have those vulnerabilities discovered fixed and listed on here and other

54
00:04:28,240 --> 00:04:29,350
databases.

55
00:04:29,350 --> 00:04:34,610
There are lots of potential biases in how this data is created.

56
00:04:34,630 --> 00:04:41,290
So from this data the main message we can take from it is all operating systems have serious security

57
00:04:41,290 --> 00:04:42,340
vulnerabilities.

58
00:04:42,340 --> 00:04:46,270
It's just a question of time before more issues are found.

59
00:04:46,300 --> 00:04:50,440
This is a trend that won't end anytime soon.

60
00:04:50,440 --> 00:04:56,980
We will keep finding vulnerabilities security vulnerabilities in all our operating systems.

61
00:04:56,990 --> 00:05:02,670
Another metric to consider when thinking about security bugs is how fast fixes come out.

62
00:05:02,720 --> 00:05:06,360
These security vulnerabilities when they are disclosed.

63
00:05:06,460 --> 00:05:13,690
Microsoft and Apple do a good job of responding to vulnerability report and produce patches to fix these

64
00:05:13,690 --> 00:05:21,790
issues pretty quick more obscure Linux versions can take longer to fix issues which is obviously a problem.

65
00:05:21,790 --> 00:05:28,960
For more information on bugs and vulnerability reports read this here buying into the bias why vulnerability

66
00:05:28,960 --> 00:05:30,370
statistics soc.