Does Research Support Dumping Linux?, 2002-12-02
Microsoft's security policies are getting better every day, even as a new report slams open-source competitors as security nightmares. But the easy answers aren't always the right ones.
“
It's always nice to have professional research as ammunition against the zealots that make posts from Outlook Express on how horrible Microsoft products are.
”
I don't really believe that -- I just wanted to get your attention. But now that I have it, it is a good time to introduce you to some researchers whose sentiments are just that. In fact, The Aberdeen Group is calling open-source and Linux software the new "poster child" for operating system security for the year of 2002.
In a research
With only seven advisories relating to Microsoft products, or about one in four, the group has now dubbed Linux as the new leader in OS insecurity.
So does this mean that you should dump all of your Linux installations and replace them with Windows? Of course not --- no more than you should have switched from IIS to iPlanet at Gartner's recommendation. What it does mean, as the publication points out, is that all operating systems have security problems, and they always will. The degree that you embrace this and plan for this, is the degree that you will be secure.
Users desire features, features spawn complexity, and complexity bears insecurity. It is just that simple. To paraphrase a Schneier-ism, the more complex a system is, the less secure it is.
Of course, it's always nice to have professional research as ammunition against the zealots that make posts from Outlook Express on how horrible Microsoft products are. But to be honest the value of such research is minimal. That is because the real security in Linux, Windows, or Solaris lies in how well you know how to secure them. Which one offers the best security? The one you know how to secure the best.
Microsoft Security On the Rise
There are certainly pros and cons to each source model -- open source ensures that the code will be available for peer review, but it does not mean that the peers actually review it. Closed-source models can more easily have global policies applied to the development process, but that doesn't mean it actually happens. No matter which you choose to use, the most important thing you can do today is to give your IT department the education and training it needs to learn how to best secure your infrastructure.
But those of us who have chosen to use Microsoft products should take heart -- it seems that the company's security initiative is indeed starting to pay off. It has not been immediate, and I don't think anyone expected it to be, but we have already seen some of the benefits of the global code review and security push.
Speaking at Windows Server DevCon in September, Microsoft senior vice president Brian Valentine outlined some very important security policies at the company. Though the popular media seemed only to extract an out-of-context "Our products are just not engineered for security" misquote, the real content of Valentine's speech was powerful. For instance, he has mandated that every single person in the Windows Division undergo security training. Every single person. What's more, if someone works for a group outside the division but supplies products that will ship on his platform CDs, they too must go through security training. That is strong, and it will pay off.
The code review methodology he put in place will also make a substantial impact. Not only is all of the code being audited, but it has been assigned ownership. That way, if something does get missed, the individual that let it slip by can be held accountable. This is one of the benefits of the closed-source model.
But to me, the vendor -- be it Red Hat or Microsoft -- is only half of the issue; I think that we, the users, are the biggest threat to our own security. While coding errors and architectural flaws are serious problems that must be fixed, the most prevalent issues still come from default installations of all available services, blank or weak passwords, and un-patched systems.
It is easy to get caught up in the OS Holy Wars, but I don't really see the value in doing so. We are talking about software here -- tools for the working dog, not religious dogma. I think our time is much better spent learning to secure what we have than bashing that which we don't use.
It is the vendor's job to provide us with software that is securable -- it is our jobs to secure it.
