Here’s another interesting data table out of the latest IBM ISS X-Force security report:
This table shows the Operating Systems with the most security vulnerabilities in 2008. Compared to any single version of any other OS, Apple OS X takes the top spot.
I am bound to get some comments saying that I am claiming that Windows is more secure than OS X. I am not. Microsoft has its issues – but Mac OS X clearly has its own issues. Any OS will have vulnerabilities, but fewer is always better – it reduces risk and, more importantly, reduces our cost of supporting and maintaining the system. The question is not does Apple produce more or less secure OS code than Microsoft or Sun or IBM. Look at the data and ask yourself “Is Apple doing enough to produce secure code for me?”.
Microsoft learned the hard way. In the 2001-2002 timeframe, you were really feeling the pain of using Microsoft’s vulnerable software (Sasser, Blaster, Code Red, Nimda and so on). You voted with your wallet and started switching to alternative OSs like Linux. Bill Gates woke up one night in a cold sweat. The infamous “Trustworthy Computing Memo” was written. Millions were spent on changing Microsoft’s development process and culture (including the use of testing tools) to produce more secure code.
It was painful for Microsoft. It was painful for us. But it needed to happen.
If we are going to use Apple products in the enterprise, then we should hold them to the same standards we hold any of our IT suppliers to, including specific requirements for security testing and threat modeling throughout the software development process.
Even cool products need to be written securely.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.