Comparing Windows And Linux Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
3/31/2004
05:02 PM
Gregg Keizer
Gregg Keizer
Features
50%
50%

Comparing Windows And Linux Security

Forrester Research's report on OS security found Microsoft did the best job at patching vulnerabilites quickly, but Linux vendors are more thorough.

Although the knee-jerk response from IT professionals is that Linux is more secure than Windows -- how can it not be? -- the real answer is a lot more complex, according to a recently-released report from Forrester Research.

"When asked about the security of popular operating systems like Linux and Windows, many IT professionals have a reflexive reaction: Linux is relatively secure, Windows isn't," Laura Koetzle, a senior analyst with Forrester said on Wednesday.

But is that off-the-cuff dismissal of Windows on the mark?

Not really, said Koetzle, the primary author of Forrester's "Is Linux More Secure Than Windows?" report. "We wanted to provide some data so that enterprises could make rational decisions, not ones based on pre-conceived notions," she said.

"The answers were a bit surprising. Microsoft gets a fundamentally worse rap than it deserves."

To gauge the security of Windows and Linux -- the latter marked by distributions from Debian, Red Hat, SuSE, and MandrakeSoft -- Koetzle and several colleagues at Forrester collected security vulnerability data for the period between June 1, 2002 and May 31, 2003 using public data sources such as the Bugtraq mailing list, the bugzilla.org archives, CERT/CC at Carnegie Mellon, and a host of other resources.

Forrester then created a quartet of metrics to measure how well each operating system vendor responded with fixes to vulnerabilities, how thorough each was in fixing all the disclosed gaffes, and how each OS ranked against the others in the severity of the vulnerabilities.

The metrics measured what Forrester described as "days of risk," the number of total days between a vulnerability made public and its first patch, the percentage of the vulnerabilities actually patched -- "There's no credit for fixing 20 percent of vulnerabilities lightning-fast and ignoring the rest," said Koetzle -- and the percentage of the vulnerabilities rated as "high" by the U.S. government's National Institutes for Standards and Technology's (NIST) ICAT project.

Surprisingly, Microsoft did the best job at patching vulnerabilities fast, even though it ranked at the top with the largest percentage of its security holes rated as high, said Koetzle.

During the year's worth of vulnerabilities, Microsoft posted just 25 days at risk, while Red Hat and Debian tied for second, with 57 vulnerable days. MandrakeSoft's Linux distribution came in dead last, with 82 at-risk days, more than triple Windows'.

Measuring each OS vendor's thoroughness record, Forrester found that Microsoft again led the pack by patching all of the 128 severe problems discovered within Windows. Red Hat came in second at 99.6 percent (it let one vulnerability slip through the cracks), while Debian brought up the rear by fixing 96.2 percent of the high-rated vulnerabilities (Debian left 11 unpatched).

The thoroughness of the Linux vendors came as a shock to Koetzle. "The fact that the Linux distributors fixed such a high percentage of their vulnerabilities is a remarkable achievement," she said. "Even Debian, in last place, was pretty darn thorough."

Koetzle acknowledged that Forrester's numbers-oriented approach doesn't tell the entire tale, for although she considered the case closed when a vendor released a patch, that doesn't always jibe with reality.

"After the vendor releases a patch, it's up to all the customers to apply it," said Koetzle. And customers often don't patch. Koetzle's analysis of the nine highest profile Windows security incidents from 2001 through March 2003 showed that although Microsoft's patches predated the outbreaks by an average of 305 days, most firms hadn't applied those patches.

That's where ease of use and installation of security fixes comes into play, she said, and pointed to Microsoft, MandrakeSoft, and SuSE as leaders in ease of use. "They all hang their hats on the ease with which relatively unskilled users and administrators can install, configure, and patch their systems."

Rather than make a broad-stroke statement that Windows is more secure than Linux, or visa versa, Forrester instead made recommendations to enterprises based on what companies view as the most important aspect of security. "This is very much a case of your mileage may vary," Koetzle said.

Firms which value speed of patching vulnerabilities above all else should look to Microsoft or Debian's Linux because of those vendors' low number of at-risk days. Want to maximize security and administrator ease of use? Then Windows and Red Hat's Linux are the best fit.

"The bottom line? Any of these platforms can be operated securely," said Koetzle.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Commentary
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
News
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Slideshows
Flash Poll