"When asked about the security of popular operating systems like Linux and Windows, many IT professionals have a reflexive reaction: Linux is relatively secure; Windows isn't," Laura Koetzle, a senior analyst with Forrester said Wednesday.
But is that off-the-cuff dismissal of Windows on the mark?
Not really, said Koetzle, the primary author of Forrester's "Is Linux More Secure Than Windows?" report. "We wanted to provide some data so that enterprises could make rational decisions, not ones based on pre-conceived notions," she said. "The answers were a bit surprising. Microsoft gets a fundamentally worse rap than it deserves."
To gauge the security of Windows and Linux--the latter marked by distributions from Debian, Red Hat, SuSE, and MandrakeSoft--Koetzle and several colleagues at Forrester collected security vulnerability data for the period between June 1, 2002, and May 31, 2003, using public data sources such as the Bugtraq mailing list, the bugzilla.org archives, CERT/CC at Carnegie Mellon University, and a host of other resources.
Forrester then created a quartet of metrics to measure how well each operating-system vendor responded with fixes to vulnerabilities, how thorough each was in fixing all the disclosed gaffes, and how each operating system ranked against the others in the severity of the vulnerabilities.
The metrics measured what Forrester described as "days of risk"--the number of total days between a vulnerability being made public and its first patch, the percentage of the vulnerabilities actually patched--"there's no credit for fixing 20 percent of vulnerabilities lightning-fast and ignoring the rest," said Koetzle--and the percentage of the vulnerabilities rated as "high" by the U.S. government's National Institutes for Standards and Technology's ICAT project.
Microsoft did the best job at patching vulnerabilities fast, even though it ranked had the largest percentage of its security holes rated as high, said Koetzle. During the year's worth of vulnerabilities, Microsoft posted just 25 days at risk; Red Hat and Debian were tied for second with 57 vulnerable days. MandrakeSoft's Linux distribution came in last, with 82 at-risk days, more than triple Windows'.
Measuring each operating-system vendor's thoroughness record, Forrester found that Microsoft again led the pack by patching all of the 128 severe problems discovered within Windows. Red Hat was second at 99.6% (it let one vulnerability slip through the cracks), while Debian brought up the rear by fixing 96.2% of the high-rated vulnerabilities (it left 11 unpatched).
The thoroughness of the Linux vendors came as a shock to Koetzle. "The fact that the Linux distributors fixed such a high percentage of their vulnerabilities is a remarkable achievement," she said. "Even Debian, in last place, was pretty thorough."
Koetzle acknowledged that Forrester's numbers-oriented approach doesn't tell the entire tale, for although she considered the case closed when a vendor released a patch, that doesn't always jibe with reality.
"After the vendor releases a patch, it's up to all the customers to apply it," said Koetzle. And customers often don't patch. Koetzle's analysis of the nine highest-profile Windows security incidents from 2001 through March 2003 showed that although Microsoft's patches predated the outbreaks by an average of 305 days, most companies hadn't applied those patches.
That's where ease of use and installation of security fixes comes into play, she said, and pointed to Microsoft, MandrakeSoft, and SuSE as leaders in ease of use. "They all hang their hats on the ease with which relatively unskilled users and administrators can install, configure, and patch their systems."
Rather than make a broad-stroke statement that Windows is more secure than Linux, or visa versa, Forrester instead made recommendations to businesses based on what companies view as the most important aspect of security. "This is very much a case of your mileage may vary," Koetzle said.
Companies that value speed of patching vulnerabilities above all else should look to Microsoft or Debian's Linux because of those vendors' low number of at-risk days. Want to maximize security and administrator ease of use? Then Windows and Red Hat's Linux are the best fit.
"The bottom line? Any of these platforms can be operated securely," said Koetzle.