Marc's not saying anything that 80+% of people working in software security haven't been saying for years. Nothing against Marc, just, this isn't controversial. Of course they are.
In my office we have email virus scanners, network virus scanners, and virus scanners on all the PCs and servers. You know what they are all looking for? Windows viruses. I'm probably more advanced than most Mac users, I don't enter my password at the request of every prompt and I read the file manifest for each installer. Mac owners are know they are not impervious. Most wouldn't know what to do if their Mac was infected with a virus. But they know there are far juicier targets than OSX.
A virus hasn't been built yet to take a Mac down. What you have is a bunch of hypothetical lab scenarios of how it could be done, and 0 real world data.
Companies are paying crackers with $2000 Macbook Pros while real money is being made ($millions) writing PC viruses. OSX doesn't need to be more secure than Windows 7 (it should be the goal though). It just needs to be more secure than 90% of the PCs out there running XP.
For what it's worth, the cover of "Writing Secure Code 2" has a quote from Bill Gates "Required reading at Microsoft." On my very first day at MS I was handed a copy and told to read it (and I did). Our code also went under strict security reviews and just about any refactoring, bug fix, anything that potentially affected security had to be reviewed too.
The only reason Apple gets little increase in security is because they're running on top of a Unix-based operating system and they can take advantage of some of the things that have been done for them.
Am I misreading this, or is he saying these advantages Apple has don't count because they're playing on easy mode with their OS design?
No, he's saying Apple got a basic level of security for free but if they don't fix their broken security auditing the issue will creep up on them (and their users) as they gain market share.
I use Unix as well, on the server and on the desktop. But that doesn't automatically make all my code secure. What made Unix more secure than the original Windows was a particular attitude. An attitude that Apple doesn't have (or maybe didn't have until very recently).
Yes, but Apple has a smaller install base so they are targeted less often. In practice, I think you are more secure on OSX at the moment. If their install base grows, I expect that will change.
Even though Macs may be less secure than Windows, there is significantly less malware targeted at Macs, so a Mac is relatively 'safe' for an average user.
On the other hand, if you're running the server for a bank - where you expect to get constantly hit by crackers looking for an exploit - Windows would probably stand up better than a Mac.
For the same reason that putting bars on your windows near the projects in Englewood makes you more secure, but less safe than someone without bars on their window in the suburbs.
"Marc Maiffret...now works trying to find security flaws in Microsoft's software...". I wonder who pays him? No surprises as to why he finds Microsoft more secure than Apple and Adobe.
I took a quick look at the company's products, and I don't really see how he stands to benefit by convincing people Microsoft is more secure than its competitors.
