Im reading my usual online newsletters and I come across this one. Im reading and and its laughable!
To make statements like this saying that Open Source is “inherently” more secure is a misleading statement that needs to be backed up with fact and the facts are that both Microsoft and Open Source software have security issues and can be configured insecurely. Ive said it before and Ill say it again. The difference between a secure system and a non-secure system is how its installed and maintained. Let me clarify:
1. How you install and config it – and heres where I agree with the RedHat guy in the article – both Linux and Windows can be secure out of the box. It comes down to the system admin’s knowledge of how to configure it. Basic system hardening practises need to be followed from either vendor’s best practises.
2. Whether you keep up with system maintenance and patches – both platforms have roughly the same number of critical patches. Dont believe me? Look for yourself…
Now the Linux folk dont like us comparing their total stack (including the kernel with KDE, Apache etc and all the components) against our total stack. They feel its unfair I guess… The article mentions Apache so lets look at the latest version of Apache against the latest version of IIS 6.0 in Windows Server 2003.
IIS 6.0 scores a big fat zero for the number of vulnerabilities since its release. Indirectly there was 3 that while were’nt directly part of IIS 6.0, were used by IIS 6.0. So lets say 3.
How many does Apache score? Well look for yourself. Go to http://www.securityfocus.com. List for yourself how many issues there are (hint: there are lots of them)
Now Im not naive enough in coming out and saying that Microsoft has all the answers and is a shining example – but I do think we are on the right path and putting in place security that no other platform has done.
I think security is a journey in any platform whether thats Linux or Microsoft and it comes down to people process and technology working together to produce a secure system.