Relative security

For many years, conventional wisdom has dictated that the open source operating system Linux is inherently more secure than Microsoft’s ubiquitous alternative, Windows.

The primary reason, say Linux advocates, is the nature of the open source development process.



Forrester’s Laura Koetzle used three main metrics. The first was responsiveness – how quickly security vulnerabilities were addressed, taking into account when the product was shipped, when the vulnerability was discovered and when the vulnerability was publicly disclosed.

Second, she assessed the vulnerability’s severity, placing a higher score on those that enable an attacker to potentially take control of a system and a lower score thosewith less severe problems.

Finally, Koetzle examined suppliers’ thoroughness – how close they came to fixing all the publicly disclosed security flaws.

Forrester’s recommendations

  • If you want security updates as quickly as possible, think Debian or Microsoft;

  • To balance security with ease of installation, users should go with Mandrake, Microsoft or SuSE;

  • To maximise security and ease of operation, consider Microsoft and Red Hat.



    With the source code available for all to review, flaws can be identified and rectified quicker than with proprietary operating systems, such as Windows.

    So when Forrester Research released a report recently that concluded that Microsoft was quicker and more thorough at dealing with security vulnerabilities, it caused a storm of protest in the open source community. The four main Linux distributors positively fizzed with fury. “We believe the report does not treat the open source vendors and [a] single closed source vendor in the same way,” wrote representatives of Debian, MandrakeSoft, Red Hat and Novell/SuSE in a joint letter.

    But Laura Koetzle, the Forrester analyst responsible for the report, stands four-square behind it.

    She suggests that Microsoft has finally got its security processes working effectively, after several years of appearing to ignore the problem. “Most of the people I know in the security research community say that Microsoft today is very different from the Microsoft of two-and-a-half years ago. Then, Microsoft could hardly be bothered to take their calls,” says Koetzle.

    One of the principal complaints of the open source community was that the report was not comparing like-with-like. Whereas Windows comes with little more than a web browser, a media player and some games, Linux distributions often arrive bundled with literally thousands of applications. Even low-end distributions can include MySQL and PostgreSQL databases, several office suites, web browsers, email packages and scores of games. “We are shipping so much more. We have so much more to support,” says Vincent Danen, security updates manager for MandrakeSoft.

    But Koetzle says such objections are misinformed. She points out that her methodology was more sophisticated than simply examining the number and


    CIOs still rate Linux on cost

    A perception that it was more secure than Windows was not the only assumed advantage of Linux. Most analysts, at one time or another, thought that Linux was cheaper than its dominant rival too.

    That assumption was famously challenged in late 2002 by an IDC white paper that concluded that Windows cost less in most cases in the long run, mainly because Windows experts are more common and command smaller salaries. Linux was found to be cheaper than Windows only when left to run a simple application like web serving.

    The white paper, admittedly, was highly controversial, not least because it was commissioned by Microsoft. (IDC says the methodology was its own, although Microsoft was given the right of approval.)

    The furore that followed its publication may have done enough to convince many Windows customers to try out Linux for themselves.

    Now, a survey of 140 North American businesses by Forrester Research has found that 86% of respondents cited low cost as a major reason for deploying Linux and other open source software.

    Interestingly, fewer than half of companies that deployed open source admitted having a formal means of measuring its total cost of ownership. That implies that many businesses simply assume that Linux and other open source products are bound to be cheaper, and do not think it necessary to confirm it.

    Even more tellingly, of the handful of respondents that went to considerable lengths to accurately calculate the TCO of open source software, all agreed that it was between 5%-20% more expensive than the Windows environment, thanks to higher support and maintenance fees.

    Forrester found that because many companies had not deployed Linux before, preparation and planning took longer than for Windows. Training costs were about 15% higher, reflecting both the need to catch up with Windows skill levels and the more limited availability of materials and courses. Respondents said outside help was harder to find and up to 20% more expensive than Windows assistance.

    The report also noted that open source software poses different risks to proprietary alternatives. It claims that the open source movement shifts the burden for maintenance, upgrades, support and guarantees of operability from vendors to the IT department.

    All the same, the survey found that Linux adoption is accelerating, with 46% of the companies surveyed already using open source software and a further 14% intending to deploy it over the next year. Significantly, half of these told Forrester they would be using open source for mission-critical applications. Of the remaining 39% that did not have any immediate plans to migrate to open source, lack of internal skills and external support were the most common justifications.



    severity of security vulnerabilities for different Linux distributions compared to Windows (see box). Instead, she put together different scenarios, such as running a web server or a database-driven application, and included only the stack of software that a typical Linux or Windows user might deploy in those scenarios. Then she examined the security vulnerabilities that users would have had to have implemented in those environments.

    In addition, Koetzle did not simply accept vendors’ potentially tainted descriptions of what counted for a serious security vulnerability. Instead, she followed the classifications provided by the ICAT database, which is run by the US government’s standards body, the National Institute of Standards and Technology (NIST).

    “I deliberately shied away from looking at the severity criteria that the vendors use because I would have been faced with the unenviable task of trying to reconcile different classification systems, which would have taken forever and made nobody happy. Least of all me,” she says.

    Another objection put forward by open source advocates is that Microsoft effectively controls when security vulnerabilities are publicised, enabling it to have patches ready and waiting when security announcements are made. “Most people that report vulnerabilities to Microsoft give it a time frame. They say, if you don’t fix this in six months, we are going public,” says Danen. And six months ought to be more than enough time to fix any problem.

    But while the Linux development process is more open than Microsoft’s, it is still most likely that someone who finds a flaw will quietly report it to the coordinator responsible for that section of code first, rather than rush out an email to Bugtraq or any other security vulnerability mailing list, says Koetzle.

    Patchy record

    The time lag between disclosure and the release of a patch has become increasingly important as hackers have become more proficient at releasing ‘exploits’ – applications that can automate an attack that takes advantage of security flaws. Just two years ago, it would typically take the hacking community more than six months to release a patch. Today, it can take little more than two days, while Microsoft still takes 25 days.

    That makes it important for organisations not just to implement patches as quickly as possible, but also to take remedial action as soon as a flaw is publicised. For example, if a worm spreads via a particular network port, then those ports should be closed down at the network perimeter until the patch is implemented.

    But the conclusions of the report were not necessarily cut-and-dried. While Microsoft could boast the fewest ‘days of risk’, the time between disclosure of a flaw and the release of a patch, more of its security flaws were rated as ‘high severity’.

    What is more, attacks on Microsoft systems in recent years have been devastating. Linux has nothing that can compare with Nimda, Code Red, Blaster or SQL Slammer either for virulence or for the global damage that they caused.

    All the same, Microsoft is certain to cite the Forrester report in future discussions with customers considering a switch to open source.


    What benefits do you get or expect to get from Linux and open source software
    Source: Forrester Research (base: 85 North American companies that use open source software – multiple responses accepted)


    What are the biggest concerns about Linux and open source software
    Source: Forrester Research (base: 85 North American companies that use open source software – multiple responses accepted)

    Avatar photo

    Ben Rossi

    Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

    Related Topics