On Mon, Jan 23, 2006 at 05:08:00PM -0500, Dave Feustel wrote:
> Securia gives OpenBSD a pretty nice security rating at
> http://secunia.com/product/100/
Those statistics say nothing at first glance. For example, I could
argue that PHP 4.3.x is more secure than OpenBSD because there were
less advisories. Duh!
Of course, this would be a loony comparision, but IIRC, I've actually
seen that sort of "argumentation'.
And what's really missing at secunia.com is some data about response
time wrt. to severity.
There are other criteria on "good" vs. "bad" security. For example,
look at that CMS named "typo3". People say it's "secure". Secunia
also says it's "secure". But it's based on PHP and MySQL, which I
don't consider secure. Even worse, I'd a look at typo3, the way
they develop, their documentation, their "hardening" hints, their
coding guidelines and their sources. Guess what? I'll never use it.
Ciao,
Kili
