Category Archives: 6395

Is Firefox More Secure than Internet Explorer?

Well, sure it is. According to the Firefox web site, which must of course be untainted by marketing claims since it is Mozilla, " Firefox continues to lead the way in online security".

OK, marketing hyperbole aside, I'm a data guy. I care about what the data says. Fortunately, Jeff Jones collected the data and did the analysis. Rather than color your conclusions by mine, I will let you draw your own conclusions from his analysis because (a) Jeff is a friend of mine and I won't let that influence a judgement, and (b) there may be a slight conflict of interest in the analysis due to Jeff's current employment situation. Nevertheless, it is an interesting read, and you can check the numbers for yourself.

Don't forget too that IE 7, under Vista, runs in low integrity, rendering a lot of attacks far less severe. Jeff forgot to mention that in his analysis. Firefox does not work in low integrity; at least not yet.

All Software Has Vulnerabilities

No matter how smug you are about it, and how much you claim that security is someone else's problem, software will have vulnerabilities. It is a fact of life because software is, by far, the most complex engineering task mankind has ever undertaken.

In that light, I found a quote by Alan Paller, of the SANS Institute, in the latest @Risk Consensus Security Vulnerability Alert quite revealing:

If you are ever asked which operating system is safer, the following 'non-aligned' rule may be of some help. Given a fixed level of programming skill, the number of vulnerabilities in software is directly proportional to the number of lines of code and inversely proportional to the length of time the software has been in wide use. Large numbers of critical vulnerabilities are being, and were bound to be, discovered in Apple's operating system because Steve Jobs may design better hardware, but his programmers are no better at writing secure code than programmers in other software organizations. Alan

Secure software is produced by software developers who have been adequately trained, who have great tools at their disposal, and who work in a supportive culture that makes it easier to do the right thing and harder to do the wrong thing.