Friday, March 25, 2005

New study claims Microsoft more secure than Linux

Fans of Linux point to better security as a benefit of Linux over Microsoft operating systems. However, a new study by security applications firm Security Innovations comes to the opposite conclusion.

The study found that Web sites running on the default configuration of Red Hat Enterprise Linux ES 3 are less secure than those running on the default configuration of Windows Server 2003. The study uses a "days of risk" metric, which is calculated as the number of days that each vulnerability is known by the vendor but not patched.

Critics of the study immediately jumped on the fact that, as it turns out, the study was funded by Microsoft. It's not the first time that a Microsoft-funded study has found Microsoft superior to Linux. Back in 2002, I wrote about this IDC study funded by Microsoft that touted Microsoft's benefits over Linux. I later did a detailed rebuttal to an Aberdeen study that found Linux and open source products less secure than Microsoft's offerings.

Although Microsoft's funding of the study calls into question its objectivity, the results should not be dismissed out of hand. A more thoughtful approach would be to look at the data and the methodology and determine whether the conclusions are valid. Security Innovations, to its credit, has published both the data and the methodology, making such an evaluation possible.

Red Hat, which was not given an opportunity to review the findings prior to publication, criticizes the study for not taking into account the severity of each vulnerability when calculating the days-of-risk metric. In other words, vendors should prioritize their efforts and should fix the most critical vulnerabilities first. Red Hat claims that under a severity-weighted calculation, Linux is more secure than Microsoft Windows Server 2003.

I might also point out that the Security Innovations study assumes that users run each operating system with its default out-of-the-box configuration. That's a questionable assumption in practice. If the security of a specific Web application is critical, the real question should be, how difficult is it for a system administrator to secure the application?

The Security Innovations study is on the firm's Web site. A brief response from Red Hat is on the Red Hat People blog. An article on ZDNet has more reporting on the debate.

Related posts
Microsoft-sponsored study on Win2K vs Linux is NOT all good news for Microsoft
Aberdeen: new poster child for sloppy research

No comments: