Not so Fast and Not the Point

In a recent interview, Eugene Kasperky  (founder, Kasperky Labs) said that Apple is 10 years behind Microsoft in terms of security.   I use Apple products, but I am first and foremost a security professional.  While I agree that Apple lags Microsoft, I don’t believe it is by ten years. However, I’m not going to build a case for my claim in this age old (and rather boring) argument - or reignite an OS flame war that is past it's prime and no longer applicable.  Relative “security” is almost impossible to define and each of the major Operating Systems are so good the risk inherited from them is low.  How is the security of the OS measured?  Critical vulnerabilities? Number of Malware attacks?  Time to issue a patch?  What I want to talk about are the security habits  (both good and bad) that each has adopted over the past decade.

Regardless of where you stand on this issue, there’s really no need to choose a side. Arguing about whether Mac or PC or Linux (see my earlier blog) is more secure is starting to sound like the old Ford vs. Chevy argument (hint, it really doesn't matter). They both have good security posture and secure platforms. I think that Microsoft is still ahead of the game, especially in terms of process maturity and investment, but that doesn't imply that Apple doesn't have it together. Additionally, it’s far more important to consider the software, not the OS or the network when thinking about security. You inherit far more risk by installing some random application you downloaded from the internet that automatically delivers pictures of cute cats daily than you do from any major OS. As security gets baked into the lower level systems attackers will move their attacks to the higher level, softer targets. We see this now in application based worms or now the introduction of HTML5 web workers and web sockets and attackers crafting worms and botnets that attack that technology. We're just moving on up the tool chain.

Apple was able to create OSX, released in 2001, with a lot of security fundamentals borrowed (or stolen) from unix architecture, which puts them on a different foundation than Microsoft with their NT lineage. This just means that Apple got to learn from other people's mistakes.  This isn't news. That said, Microsoft has spent the last 10 years developing a secure OS foundation to meet the demanding security needs they face.

Microsoft has made huge strides to secure their systems.   Ten years ago, they had just started to implement their Security Development Lifecycle (SDL) and their Trustworthy Computing Initiative.  Both are the foundation of the mature secure process we see today (which entails education and assessments as well).  Also around that time, Microsoft still had just handled the Code Red  (2001) and Nimda worms and had the SQL Slammer worm (2003) to look forward to.

It’s well documented that Microsoft started from a shaky base due their (and the industry’s) lack of security knowledge decades ago. Mac threw everything out between OS9 and OSX to leverage all the unixy goodness that we see today. Their security models and process is behind Microsoft, but they started a bit later and we’ll see if/when they can catch up. 

What is perhaps a bit unsettling is how Kaspersky described Apple’s progress on the security front.

Now that Macs are more popular, the people who create viruses and malware will pay more attention to them. If Linux became popular the same thing would happen. Apple has entered Microsoft’s purgatory, but I think they have enough security know-how to put their best foot forward – knowledge gained from the not-so-envious position Microsoft has been in for quite some time.

As a security professional I’d like to see much more transparency from Apple. I’d like to see information about the security issues that are fixed by a patch. I think this also requires a fundamental change in the way they deal with security researchers. Instead of treating us like criminals when reporting a patch, work with us. Listen to how the OS or the Apple apps are broken and help us, help you.

For more information on why we need to start thinking about software (versus OS) security, check out my previous blog: