Windows Vs. Linux Security: Depends On Who You Ask - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Windows Vs. Linux Security: Depends On Who You Ask

A new Forrester Research study says the question of which operating system is more secure depends greatly on what aspects of security companies see as most important.

Although the knee-jerk response from IT professionals is that Linux is more secure than Windows, the real answer is a lot more complex, according to a recently-released report from Forrester Research.

"When asked about the security of popular operating systems like Linux and Windows, many IT professionals have a reflexive reaction: Linux is relatively secure; Windows isn't," Laura Koetzle, a senior analyst with Forrester said Wednesday.

But is that off-the-cuff dismissal of Windows on the mark?

Not really, said Koetzle, the primary author of Forrester's "Is Linux More Secure Than Windows?" report. "We wanted to provide some data so that enterprises could make rational decisions, not ones based on pre-conceived notions," she said. "The answers were a bit surprising. Microsoft gets a fundamentally worse rap than it deserves."

To gauge the security of Windows and Linux--the latter marked by distributions from Debian, Red Hat, SuSE, and MandrakeSoft--Koetzle and several colleagues at Forrester collected security vulnerability data for the period between June 1, 2002, and May 31, 2003, using public data sources such as the Bugtraq mailing list, the archives, CERT/CC at Carnegie Mellon University, and a host of other resources.

Forrester then created a quartet of metrics to measure how well each operating-system vendor responded with fixes to vulnerabilities, how thorough each was in fixing all the disclosed gaffes, and how each operating system ranked against the others in the severity of the vulnerabilities.

The metrics measured what Forrester described as "days of risk"--the number of total days between a vulnerability being made public and its first patch, the percentage of the vulnerabilities actually patched--"there's no credit for fixing 20 percent of vulnerabilities lightning-fast and ignoring the rest," said Koetzle--and the percentage of the vulnerabilities rated as "high" by the U.S. government's National Institutes for Standards and Technology's ICAT project.

Microsoft did the best job at patching vulnerabilities fast, even though it ranked had the largest percentage of its security holes rated as high, said Koetzle. During the year's worth of vulnerabilities, Microsoft posted just 25 days at risk; Red Hat and Debian were tied for second with 57 vulnerable days. MandrakeSoft's Linux distribution came in last, with 82 at-risk days, more than triple Windows'.

Measuring each operating-system vendor's thoroughness record, Forrester found that Microsoft again led the pack by patching all of the 128 severe problems discovered within Windows. Red Hat was second at 99.6% (it let one vulnerability slip through the cracks), while Debian brought up the rear by fixing 96.2% of the high-rated vulnerabilities (it left 11 unpatched).

The thoroughness of the Linux vendors came as a shock to Koetzle. "The fact that the Linux distributors fixed such a high percentage of their vulnerabilities is a remarkable achievement," she said. "Even Debian, in last place, was pretty thorough."

Koetzle acknowledged that Forrester's numbers-oriented approach doesn't tell the entire tale, for although she considered the case closed when a vendor released a patch, that doesn't always jibe with reality.

"After the vendor releases a patch, it's up to all the customers to apply it," said Koetzle. And customers often don't patch. Koetzle's analysis of the nine highest-profile Windows security incidents from 2001 through March 2003 showed that although Microsoft's patches predated the outbreaks by an average of 305 days, most companies hadn't applied those patches.

That's where ease of use and installation of security fixes comes into play, she said, and pointed to Microsoft, MandrakeSoft, and SuSE as leaders in ease of use. "They all hang their hats on the ease with which relatively unskilled users and administrators can install, configure, and patch their systems."

Rather than make a broad-stroke statement that Windows is more secure than Linux, or visa versa, Forrester instead made recommendations to businesses based on what companies view as the most important aspect of security. "This is very much a case of your mileage may vary," Koetzle said.

Companies that value speed of patching vulnerabilities above all else should look to Microsoft or Debian's Linux because of those vendors' low number of at-risk days. Want to maximize security and administrator ease of use? Then Windows and Red Hat's Linux are the best fit.

"The bottom line? Any of these platforms can be operated securely," said Koetzle.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll