Linux Security vulnerability Red Hat : Where The Linux Community Meets

Now, on to a rebuttal of Paul Thurrott's argument, and a hint to others who have tried to run the vulnerability numbers through the analysis wringer.

Thurrott claims that through the sheer, raw number of vulnerabilities calculated by BugTraq, Linux is less secure than Windows. Thurrott states:

"If you break down those numbers by Linux distribution (despite the fact that Windows 2000 and Windows NT are lumped together), Win2K/NT had 42 vulnerabilities in 2001 (data is through August only), and the leading Linux distribution, Red Hat, had 54. In 2000, Win2K/NT had 97 and Red Hat Linux had 95."

These numbers may, in total, be accurate. I don't dispute them. They appear to be slightly in Windows' favor. However, to my utter amazement, none of these industry observers has taken into account the substantial disparity in system functionality that is shipped on each platform and forms the software basis from which vulnerabilities arise.

I reviewed the broadly categorized functionality packages that ship with Windows 2000 Server, presuming it be a reasonable superset of a generally available Microsoft platform. I counted approximately 120 subsystems in Windows 2000 Server. These include Internet Information Services Web server, Active Server Pages (ASP) Programming Environment, XML Parser, and so on. Now, to compare, I quickly researched a list of subsystems that are shipped with a modern Linux distribution. SuSe had just such a list available for its 7.3 Professional release, so I used it to represent the Linux side of the equation.

The weigh-in? The Linux system had just under 2,600 packages. This means that, based on just this simple analysis, a modern Linux distribution ships with approximately 20 times more functionality in the box than what Microsoft ships with Windows 2000 Server. This is just a count of approximate functionality. With the hundreds of millions of lines of source code shipping for these platforms, a much deeper analysis would be untenable. When one does a quick and dirty calculation based on this new information, Linux, on a per-atomic-functionality basis, can be viewed as being 20 times more secure than Windows. This means that while Linux ships with 20 times as much material, it releases approximately the same number of security alerts as Windows.

Despite playing my own numbers game, the point here isn't to bicker about the statistics behind the research. What our industry needs is for security to be elevated to the front and center of design and coding practices. Any organization, community, or vendor that credibly attempts to achieve this is worth supporting. What should not, however, be condoned are instances where an organization or vendor touts this approach primarily as a cynical marketing exercise, without procuring end results.

prev

•IBM rolls out on-demand computing service
•UltraSPARC Affordable at Last
•MTI Announces 147-GB Disk Drives
•MontaVista Introduces Linux for CE Devices

•Schedule, a Cron Adjunct
•Linux developer stokes smart phone OS war
•Red Hat Linux 8.1 To Ship in April
•Apple Bridges OS X and Linux with X11 Beta
•SGI introduces its own Linux software environment

•Quick-Start Networking
•Backing up to CDs Made Simple:
•17 Easy Steps to Samba:
•Dual booting Redhat 7.2 and Windows XP Version
•One IP, Many Domains: An Apache Virtual Hosting HOWTO

•Training available for new commercial Security-Enhanced Linux
•Make 2003 more secure
•New user a security nightmare
•Linux security strong as ever

•SCO Linux 4 - Ready for the Big Time
•Linux on government servers
•Linux and TV called key to broadband tsunami
•Study: Linux headed for high end, too

website maintenance & design provided by Datums Solutions