Whos More Secure Than Whom?

Windows and Linux both have lots of security problems, and which users are more secure depends on many things. But the most important thing isn't the software; it's the administrator and the organization.

Many thanks to my colleague Steven J. Vaughan-Nichols, editor of our Linux & Open Source Center, for referring a recent Forrester Research report to my attention.

As Stevens own story on the report shows, the main finding, counterintuitive to many, is that there is no obvious answer to the question of whether Windows or Linux is more secure than the other. It depends on your point of view. I came away from the report thinking, as I have always thought, that the main variable is the dedication of administrators and a given organization to security.

/zimages/2/28571.gif

Forrester concludes that Microsoft is, on average, faster than Linux vendors at fixing known vulnerabilities, but that Windows has more of them than Linux. I could quibble with a lot of these numbers, but I think its more important to recognize that they are all in the ballpark with each other.

A Linux advocate could have a lot of arguments with Forresters positions. For instance, Forrester tracked the distribution of patches by Linux distributors, specifically Red Hat, Suse, MandrakeSoft and Debian. When a patch comes out for a Linux bug, it will often come out first in another venue, such as kernel.org or apache.org. At this point, the distributors have to do some testing before they issue their own advisories and code. Its often possible for Linux users to patch their systems faster than the Forrester research assumes.

Theres some merit in this argument, but I wouldnt want to lean too hard on the numbers. One of the reasons companies pay money to companies like Red Hat is so that there will be one place where they can go to get software that has been tested and can be supported. Ive noticed the same effect without thinking too hard about it; I subscribe to Symantecs DeepSight Alert Services and Ive seen that for some time after a Linux threat is announced and patched, advisories and patches from the various distributions straggle in. Theres more room for criticism here than Ive considered in the past.

Its also true that Windows administrators have other security issues to deal with, such as anti-virus protection, that either arent present or arent as urgent on Linux. But even most Linux administrators have Windows desktop users to support, which to some degree makes this issue a wash. Im also coming to the conclusion that the vast majority of the big Windows viruses can be stopped with good patching policies and intelligent perimeter filtering. More on that in another column later.

Microsoft takes a lot of guff in security circles for unpatched vulnerabilities, so it was a little surprising to see Forresters conclusion that Microsoft had a far lower average "all days of risk," meaning days between the disclosure of a vulnerability and the availability of a patch. Some of the Forrester numbers for distribution days of risk, meaning days between the release of a patch by the component author and the release by a distributor, are downright appalling. Since this is a testing-bandwidth issue, I conclude that Microsoft has the advantage of gobs of money to throw at testing resources, primarily in its own labs.

But the real bottleneck has always proved to be the end of the food chain: namely, the administrator applying the patch. People are rightly nervous about applying patches to functioning, stable systems, even with the threat of some horrible security problem. It is possible to set up systems both to test patches and apply them expeditiously, but these require an investment that makes you feel like youre paying mob-protection money.

But youre going to pay one way or another. If you want your systems to be current and tested, either you shell out for systems that facilitate it, or youre going to be putting in tons of overtime at unpredictable points. Its OK—youre hourly, right? Ha, ha!

The alternative is that youll find yourself in the same position as a lot of people were with Slammer last year, six-plus months after the release of a patch, when your systems all go down because you were "too busy" for all that time.

So whatever your operating system, the real issue is not the software company. The issue is how much time you have to deal with security, and how important it is to your company. Just run the numbers.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

More from Larry Seltzer