Linux Business Case: Security
It depends on who you talk to; it depends on configuration; it depends how well security policies and best practices are followed by staff and admins; it depends on where an OS is being used and its exposure to hackers; it depends on a lot of things.
If you take just the raw data comparing vulnerabilities issued for Windows Sever 2003 v. RedHat's Enterprise Linux 3.0, currently the most popular distribution for Web servers, then Linux is by far the big loser, said Herb Thompson, Security Innovation's director of Security Technology and Research.
"If you just count raw vulnerabilities in each of those (Web servers) that were fixed in 2004 ... in Windows 2003 we get 52 vulnerabilities, if it's serving in a Web server role," said Thompson. "If I take the minimum RedHat configuration (kernel, Apache, PHP and MySQL), which is the base system to be able to serve up a dynamic Web page, then I get something like 132."
But raw numbers only tell part of the story. How many servers are affected by the exploit? How much data is corrupted, stolen, lost or viewed by an intruder? How much does each vulnerability cost to patch, etc. All have an effect on the perceived security of a given OS.
And that perception may be more what the security argument is all about today than the actual vulnerability of a given OS.
Thompson recalls that in a recent client meeting a CIO was complaining about the necessity and regularity of the Windows security patching his staff did. When asked how many Linux patches his staff was required to install in a given year, the CIO had no idea. As it turned out, according to a Linux admin at the table, Linux was patched far more often than Windows.
This came as a surprise to the CIO, who basically was lamenting the fact that Windows is an insecure platform compared to other operating systems.
"When you talk about vulnerability you have to look at the workload and the points of attack," said Bill Weinberg, Open Source Architecture specialist and Linux evangelist with the Open Source Development Labs. "Some of the assumptions made that Linux is always more secure than Microsoft or other operating systems -- any generalization should be examined carefully."
But being OSDL's Linux evangelist, it's no surprise Weinberg believes, if configured correct, Linux's underlying, component-based architecture makes it more secure than Windows.
However, because Linux is somewhat more complex to configure and is less user- and application-friendly when configured for secure operation mode, many admins provision Linux in a less secure format. Which, of course, can negate any inherent security superiority Linux possesses out of the box.
"Your talking about religion here," said Charles Kolodgy, an analyst with IDC. "[G]enerally it does come down to the viewpoint of the user and how much you want to do yourself and how much you want someone else to do it. I can just as easily change my own oil, but I go and get it done to save time. I can patch my Linux or I can have Microsoft patches."
There are other arguments that need to be looked at when considering inherent OS security. One is ubiquity, the other is open source vs. closed source, and a third is latency, or days-of-risk.
Many people believe that because of Windows' popularity, it comes under attack more often and therefore is regarded as less secure. But with Linux now being used in millions of PDAs and Web servers around the globe, it also is a tempting target.
According to Weinberg, something like 20% to 30% of the total sever market is Linux-based. And, according to Con Zymaris, CEO of Cybersource, an Australian Linux/UNIX consultancy, 67% of the world's Web pages are served up on Apache/Linux, not to mention all the Linux-based mail servers.
With all these instances of corporate Linux in use, arguing security on the basis of popularity is a non-starter. Zymaris, like Weinberg, believes its underlying architecture makes Linux more secure.
"All these data points imply that Linux and open-source platforms constitute the lion's share of Internet-exposed computing infrastructure globally," said Zymaris. "This would therefore put 'Paid' to the concept that Linux isn't attacked because it's not high-profile enough on the Internet."
Another argument says that because Linux is open source, and anyone can have access to the base kernel, it is less secure by definition. This, according to Weinberg and Zymaris, is a false presumption. "Security through obscurity," Zymaris states, is no security at all.
That is why Windows is so successfully attacked by virus writers exploiting auto-executable macros in Outlook, for example, and Linux is not.
Days-of-risk, or the time between when a vulnerability is reported and a patch issued, is also a big security concern. Since Microsoft, RedHat and Novell all subscribe to the "responsible disclosure" concept -- under which those who discover vulnerabilities are encouraged to report it to the software vendor first and allow time for a patch to be created -- the lag time between when a vulnerability is discovered and a patch issued often is unknown.
For Linux, outside of RedHat and Novell distros, vulnerabilities are reported at-large and therefore the lag time to a patch may, or may not, be longer than a Windows patch. However, Microsoft gets kudos for improving its security response time and for issuing patches on a regular, predictable schedule.
Unless you are running a supported distro of Linux, patches come out when they come out. In either case, companies are vulnerable until a patch is issued.
"The biggest difference is, with open source, the white hats ... and the customer has a chance to fix it on their own as opposed to waiting for the proprietary software (vendor) to do on a schedule that only suits their commercial needs," said Weinberg.
But while Microsoft seems to be getting a handle on this particular problem, said Security Innovation's Thompson, the ad-hoc nature of the open source community means it has no central coordination to address such issues. And, over the next few years, this may cause some problems for Linux.
"The Linux trend is actually moving upward toward more vulnerabilities in the first year of release as opposed to, if you look at the Windows server products like Windows Server 2000 vs. Windows server 2003, where the trend's going down," said Weinberg. "On the Linux side, it's going to be interesting to see what happens."
So, is Linux inherently more secure than other OSes? It's hard to say. If you configure any OS wrong and leave yourself open to attack, do not adhere to security policies and procedures, provision for ease-of-use over security, then, no, Linux is as insecure as any other OS.
But, if you can do without some of the functionality inherent in a Windows platform and are willing to jump through some configuration hoops, then, the consensus leans toward Linux because of its component architecture and the ability of in-house staff to deal with security problems proactively instead of waiting for Microsoft or another proprietary platform vendor to issue a fix. In other words, it depends.