For a long time it has been asserted as "fact" about Linux being more secure because it's OPEN and therefore more eyes look at the code and are able to secure it easier. Naive Marc “right place at the right time” Andreessen lists it as the 4th reason in his “why open source is better” list.
This “fact” is dead wrong. I have always believed that Linux will be far LESS secure than propriety software since all it takes is one bad hacker to ruin they day. In a new report, Is Linux More Secure Than Windows? from Forrester Research Inc., says that Microsoft fixes security problems faster! One of the benefits of open source is that there are so many free developers working non stop to fix bugs fast. But somehow Microsoft seems to fix things faster. Guess Adam Smith was right after all.
The industry and the author of the article from Forrester believe that based the available data on the past security vulnerabilities, security vulnerabilities follow a timeline from discovery to fix. During this timeline hackers exploit the vulnerability. (Hackers have a “time to market” so to speak that is getting quicker and quicker, see below.)
Since the goal is to fix the vulnerabilities faster to reduce attacks then Microsoft is actually more secure. Microsoft took an average of 25 days to fix a vulnerability and RedHat took an average of 57 days.
Now forget the MS v Linux issue (more on that soon), but we have to take some responsibility ourselves, no matter what the OS. We have to install patches. Prior to the Nimda worm being released the patch for the exploit had existed for 331 days. SQL Slammer, 6 months. Welchia/ Nachi just over 5 months. Recently with the Blaster worm the patch for the exploit was released only 25 days before the worm was released. In each case a patch was available. We are seeing hackers watching for security alerts and then using those alerts to create exploits and take advantage of the fact that deploying security patches is a complex process in the corporate space or simply not done in the end-user space.
Page rendered at Wednesday, January 19, 2022 6:31:43 PM (Eastern Standard Time, UTC-05:00)
The opinions expressed herein are my own personal opinions and do not represent
my employer's view in anyway.