Welcome | Sign In
LinuxInsider.com
Hardware

Forrester Study Recasts Microsoft Security

Print Version
E-Mail Article
Reprints
Forrester Study Recasts Microsoft Security

By John P. Mello Jr.
TechNewsWorld
Part of the ECT News Network
04/01/04 1:22 PM PT

"Yes, Windows and Linux are developed very, very differently," Forrester senior analyst Laura Koetzle told TechNewsWorld. "I am not disputing that in any way. But enterprise customers don't really care. When you're picking a platform to operate on and you're looking at security, what you care about is how secure it is."


Is Linux more secure than Windows?

That's the question Forrester senior analyst Laura Koetzle attempted to answer in a recent report on the subject, but her analysis may be pouring gasoline on an already flaming debate.

Koetzle's study compares security for Windows and four major Linux providers: Debian, Red Hat, MandrakeSoft and SuSE Linux, now owned by Novell.

The analyst chose a window of time -- June 1, 2002, to May 31, 2003 -- identified the number of security flaws reported for each operating system during that period, and analyzed that data based on vendor responsiveness, severity of the security flaws and thoroughness in correcting the flaws.

Fast Response by Microsoft

Her findings show that Microsoft (Nasdaq: MSFT), on average, released a fix for all 128 security flaws during the period within 25 days of a vulnerability's disclosure. That compares with 57 days for Red Hat with 229 flaws and Debian with 286, 82 days for MandrakeSoft with 199 flaws and 74 days for SuSE with 176 flaws.

However, the security flaws in Windows tended to be higher-risk vulnerabilities than were found in the Linux products. Sixty-seven percent of the flaws in Windows were deemed "high severity," compared with 56 percent of Red Hat's, 57 percent of Debian's, 60 percent of MandrakeSoft's and 63 percent of SuSE's.

Based on its findings, the report recommended:

  • If you want security updates as quickly as possible, consider Debian and Microsoft.
  • If you want security with installation ease, consider MandrakeSoft, Microsoft or SuSE.
  • If you want to maximize security and operational ease, consider Microsoft or Red Hat.

Needless to say, Microsoft, which has been a whipping boy on security issues for many years, was pleased with the study's findings.

"Microsoft welcomes Forrester's decision to take an objective, in-depth look at the data behind vulnerability handling across the software industry and encourages all customers to review and evaluate the data in the context of their own computing environments," a spokesperson, who asked not to be identified by name, told TechNewsWorld.

On the other hand, some members of the Linux community were less than pleased with the report.

Wasted Effort

"I think it was a wasted effort because I don't think it gives any answers," MandrakeSoft security update manager Vincent Danen said of the study from his office in Edmonton, Alberta, Canada.

"The problem with this report is that it is comparing apples to oranges," he asserted. "If it were something limited strictly to Linux vendors, then it would make sense."

The "apples to oranges" analogy was cited constantly during collection of data for the study, Koetzle told TechNewsWorld.

"Yes, Windows and Linux are developed very, very differently," she said. "I am not disputing that in any way.

"But," she continued, "enterprise customers don't really care. When you're picking a platform to operate on and you're looking at security, what you care about is how secure it is. You don't care how it was developed. You don't care who developed it. You don't care what methodology they used. What you care about is the result."

She explained that she compared the systems based on function rather than differences in architecture.

Numbers Versus Quality

That functional analysis, however, provides a less than complete picture of the situation, according to Novell spokesperson Bruce Lowry.

"We think the conclusions of the report were off in terms of what really matters," he told TechNewsWorld from his office in San Francisco. "It's a quantitative report that doesn't address the qualitative issues involved. And it's the qualitative issues you need to be concerned with when picking a platform."

This report "doesn't address how quickly the most serious vulnerabilities are addressed," he said. "We would argue that in the Linux community, for a variety of reasons, the most serious things are addressed the most quickly and the most effectively."

Priorities, Priorities

Red Hat security response team leader Mark Cox explained to TechNewsWorld that each vulnerability that affects Red Hat products is individually investigated and evaluated. The severity of the vulnerability then is determined on the basis of risk, impact and software affected.

This severity is then used to determine the priority at which a fix for a vulnerability is being worked on, weighed against other vulnerabilities in the company's current queue, he continued. This prioritization means that lower severity issues often will be delayed to let the more important issues get resolved first.

"Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availability of a vendor's fix," he said. "The average erroneously treats all vulnerabilities as equal, regardless of the risk."

© 2009 IDG News Service, NetworkWorld, Networkworld Inc i/a/w Pinnacor, Inc. All rights reserved.
© 2009 ECT News Network. All rights reserved.

Print Version E-Mail Article Reprints More by John P. Mello Jr.

Talkback: Be the first to comment on this story.

Related News Alerts

Microsoft Activate Alert | Search Archives

More by John P. Mello Jr.

McAfee Gives Enterprise Macs a Bodyguard
November 02, 2009
When it comes to Mac use in an enterprise environment, running third-party security software isn't just a matter of using an abundance of caution. It may also be a matter of complying with governance mandates and regulations. McAfee's new Endpoint Protection for the Mac targets enterprise systems handling large amounts of sensitive data. 		Adobe Elements Buffs Up for Mac
October 26, 2009
For the almost-but-not-quite pro photog, Adobe Photoshop Elements offers a collection of tools that go beyond most free offerings but don't dish out the wallet-busting feature overload of full Photoshop. In the past, some Mac users have been annoyed with Adobe for having versions of Elements ready for Windows months before they were out on Mac. With version 8, both platforms get their chance at the same time. 		GoToMyPC Gets Ready to Go to Your Mac
October 19, 2009
GoToMyPC has been a popular remote access product in Citrix's portfolio, and previous versions have allowed any Net-connected computer to remotely control a PC. A new version, soon to come out of beta and into full release, can access Macs as well. With the growth of both telecommuting and Macs in the enterprise, Citrix felt the time was right.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> WiFi Hotspot Locator
> Inside LinuxInsider
LinuxInsider
E-Commerce Times
TechNewsWorld
MacNewsWorld
CRM Buyer
Today's LinuxInsider Sponsors
Avaya Aura™
Save up to 40% on calling costs with Avaya Aura™
Entrust Extended Validation SSL
Entrust EV SSL certificates -- "go green" for less. Now from only $199 per year.
Trend Micro Smart Protection Network(TM)
Lower your content security management costs by up to 40%.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2009 ECT News Network, Inc. All Rights Reserved.