Comment Re:This is well understood to be bullshit (Score 1) 585
But the monoculture argument still applies even when you are able to reduce the number of security-related bugs. It is not the defect _density_ of the application that counts. If a _single_ security-related bug is found in a networked application in widespread use, then it can be exploited by a worm that will spread through the population like wildfire.
Unless you can eliminate _all_ security-related bugs from your application, then it is still potentially vulnerable, especially if it is connected via the internet to other copies of itself containing the same _single_ bug.
The vulnerability here arises not because of the number of _bugs_, or security vulnerabilities, but because of the number of _interconnections_ with other applications sharing the same bug(s). In a monoculture, worms and viruses can still spread if the number of bugs is small, provided that the number of networked applications sharing these bugs is high.
Unless you can eliminate _all_ security-related bugs from your application, then it is still potentially vulnerable, especially if it is connected via the internet to other copies of itself containing the same _single_ bug.
The vulnerability here arises not because of the number of _bugs_, or security vulnerabilities, but because of the number of _interconnections_ with other applications sharing the same bug(s). In a monoculture, worms and viruses can still spread if the number of bugs is small, provided that the number of networked applications sharing these bugs is high.
