Linux security under spotlight
Published: 03 Dec 2002 12:21 GMT
Because the general bugs can and do affect all operating systems, including Linux, it is clear that even the "with enough eyeballs, all bugs are shallow" idiom isn't perfect. But we do know that the security problem in Linux will be resolved at the source level, a surety we don't have with commercial closed-source or orphaned software.
Perhaps the most important advantage that open source software can provide is that widely used code subsystems that are shown to have security vulnerabilities are fixed and reissued quickly. Microsoft and many closed-source vendors have a woeful history of tardy or nonexistent vulnerability-resolution of their code. This has, thankfully, changed in the past year or two, more than likely due to the torrents of negative publicity poured on these vendors after each security threat announcement.
The numbers game
Now, on to a rebuttal of Paul Thurrott's argument, and a hint to others who have tried to run the vulnerability numbers through the analysis wringer.
Thurrott claims that through the sheer raw-number of vulnerabilities calculated by BugTraq, Linux is less secure than Windows. Thurrott states:
"If you break down those numbers by Linux distribution (despite the fact that Windows 2000 and Windows NT are lumped together), Win2K/NT had 42 vulnerabilities in 2001 (data is through August only), and the leading Linux distribution, Red Hat, had 54. In 2000, Win2K/NT had 97 and Red Hat Linux had 95."
These numbers may, in total, be accurate. I don't dispute them. They appear to be slightly in Windows' favor. However, to my utter amazement, none of these industry observers has taken into account the substantial disparity in system functionality that is shipped on each platform and forms the software basis from which vulnerabilities arise.
I reviewed the broadly categorised functionality packages that ship with Windows 2000 Server, presuming it be a reasonable superset of a generally available Microsoft platform. I counted approximately 120 subsystems in Windows 2000 Server. These include Internet Information Services Web server, Active Server Pages (ASP) Programming Environment, XML Parser, and so on. Now, to compare, I quickly researched a list of subsystems that are shipped with a modern Linux distribution. SuSe had just such a list available for its 7.3 Professional release, so I used it to represent the Linux side of the equation.
The weigh-in? The Linux system had just under 2,600 packages. This means that, based on just this simple analysis, a modern Linux distribution ships with approximately 20 times more functionality in the box than what Microsoft ships with Windows 2000 Server. This is just a count of approximate functionality. With the hundreds of millions of lines of source code shipping for these platforms, a much deeper analysis would be untenable. When one does a quick and dirty calculation based on this new information, Linux, on a per-atomic-functionality basis, can be viewed as being 20 times more secure than Windows. This means that while Linux ships with 20 times as much material, it releases approximately the same number of security alerts as Windows.
Despite playing my own numbers game, the point here isn't to bicker about the statistics behind the research. What our industry needs is for security to be elevated to the front and center of design and coding practices. Any organisation, community, or vendor that credibly attempts to achieve this is worth supporting. What should not, however, be condoned, are instances where an organisation or vendor touts this approach primarily as a cynical marketing exercise, without procuring end results.
Con Zymaris is the CEO of Cybersource, a long-standing Australian IT & Internet Professional Services company.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
Previous
Did you find this article useful?
101 out of 224 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
