Whos More Secure Than Whom?

By Larry Seltzer  |  Posted 2004-04-01 Print this article Print

Windows and Linux both have lots of security problems, and which users are more secure depends on many things. But the most important thing isn't the software; it's the administrator and the organization.

Many thanks to my colleague Steven J. Vaughan-Nichols, editor of our Linux & Open Source Center, for referring a recent Forrester Research report to my attention. As Stevens own story on the report shows, the main finding, counterintuitive to many, is that there is no obvious answer to the question of whether Windows or Linux is more secure than the other. It depends on your point of view. I came away from the report thinking, as I have always thought, that the main variable is the dedication of administrators and a given organization to security.

Forrester concludes that Microsoft is, on average, faster than Linux vendors at fixing known vulnerabilities, but that Windows has more of them than Linux. I could quibble with a lot of these numbers, but I think its more important to recognize that they are all in the ballpark with each other.

A Linux advocate could have a lot of arguments with Forresters positions. For instance, Forrester tracked the distribution of patches by Linux distributors, specifically Red Hat, Suse, MandrakeSoft and Debian. When a patch comes out for a Linux bug, it will often come out first in another venue, such as kernel.org or apache.org. At this point, the distributors have to do some testing before they issue their own advisories and code. Its often possible for Linux users to patch their systems faster than the Forrester research assumes.

Theres some merit in this argument, but I wouldnt want to lean too hard on the numbers. One of the reasons companies pay money to companies like Red Hat is so that there will be one place where they can go to get software that has been tested and can be supported. Ive noticed the same effect without thinking too hard about it; I subscribe to Symantecs DeepSight Alert Services and Ive seen that for some time after a Linux threat is announced and patched, advisories and patches from the various distributions straggle in. Theres more room for criticism here than Ive considered in the past.

Its also true that Windows administrators have other security issues to deal with, such as anti-virus protection, that either arent present or arent as urgent on Linux. But even most Linux administrators have Windows desktop users to support, which to some degree makes this issue a wash. Im also coming to the conclusion that the vast majority of the big Windows viruses can be stopped with good patching policies and intelligent perimeter filtering. More on that in another column later.

Microsoft takes a lot of guff in security circles for unpatched vulnerabilities, so it was a little surprising to see Forresters conclusion that Microsoft had a far lower average "all days of risk," meaning days between the disclosure of a vulnerability and the availability of a patch. Some of the Forrester numbers for distribution days of risk, meaning days between the release of a patch by the component author and the release by a distributor, are downright appalling. Since this is a testing-bandwidth issue, I conclude that Microsoft has the advantage of gobs of money to throw at testing resources, primarily in its own labs.

But the real bottleneck has always proved to be the end of the food chain: namely, the administrator applying the patch. People are rightly nervous about applying patches to functioning, stable systems, even with the threat of some horrible security problem. It is possible to set up systems both to test patches and apply them expeditiously, but these require an investment that makes you feel like youre paying mob-protection money.

But youre going to pay one way or another. If you want your systems to be current and tested, either you shell out for systems that facilitate it, or youre going to be putting in tons of overtime at unpredictable points. Its OK—youre hourly, right? Ha, ha!

The alternative is that youll find yourself in the same position as a lot of people were with Slammer last year, six-plus months after the release of a patch, when your systems all go down because you were "too busy" for all that time.

So whatever your operating system, the real issue is not the software company. The issue is how much time you have to deal with security, and how important it is to your company. Just run the numbers.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel