Language Selection

English French German Italian Portuguese Spanish

Microsoft vs Linux Reports - Sheer Waste Of Time?

Filed under

The report released by Security Innovation Inc., an application security company, comparing Windows Server 2003 security with Red Hat Enterprise Linux 3 Enterprise Server (RHEL3ES) is very interesting in its own right. Just skimming through the report reveals a few discrepancies that question its credibility.

The main page briefing about the paper states:
"Results of Independent Research Project that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Compatible Linux Server." While the researchers are clearly mentioning the Microsoft product the use the more generic term "Linux". Why generalize? It is hard to believe that these PhDs do not understand the relevance of this statement. Why couldn't they just be direct and mentioned "RHEL3ES?"

In the report:
"Aside from beliefs over the relative "security" of the closed versus Open Source development paradigms, another important contributing factor is that Microsoft develops and releases all the components in their Web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development method."

This brings up a couple of interesting points. Firstly, according to them implementing multiple components (software) in an enterprise makes the overall system more vulnerable. Well, so we must expect enterprises to immediately take actions to ensure that ALL their ERP, SCM, CRM, and, of course, Web Servers are from a single vendor. Though we hate to repeat this but have they ever heard of something called "vendor lock-in".

Secondly, the report states that Microsoft has control over release cycles AND VULNERABILITY DISCLOSURES. Do they intend to say that the "days of risk" has been significantly affected by the fact that the vendor has control as to when the vulnerability will be disclosed?

A little later comes:
"Another factor which helps Microsoft in terms of average days of risk is that Microsoft strongly encourages a "responsible disclosure" policy - that is, the company attempts to carefully coordinate vulnerability announcement with fix announcement and actively build relationships with new security researchers."

It does seem that the report is trying to explain that the companies buying the Microsoft products are supposed to work closely with Microsoft to ensure that the vulnerability announcement and fix announcements are as close as possible to ensure that the "days of risk" are kept to a minimum. We sincerely hope that we got this one wrong.

Though a lot more can be analyzed in the report, it does appear that "independent" research seems to have been done (or should we say, written) by people who think that Enterprise IT Heads are a bunch of fools who have all the time on earth to read through tones of pages of deceptive analysis.


More in Tux Machines

More hands-on with the Raspberry Pi Zero: Loading, booting and configuring

Today I share more information and first-hand experiences with the Raspberry Pi Zero, including loading, booting, configuring and using the PiHub for both USB expansion and power. Read more

Red Hat Financial News

Leftovers: FSF/GNU

  • I support Software Freedom Conservancy
    Conservancy provides a lot of services to member projects, including financial and administrivia. Conservancy also provides license enforcement services, including support of a high-profile suit against VMWare. Although Conservancy uses litigation as a last resort, it’s sometimes necessary. However, this has lead to some corporate sponsors pulling their funding.
  • GnuTLS 3.4.x
  • FSF to begin accepting GPG signatures for copyright assignments from Italy
    The Free Software Foundation is striving to provide more and simpler ways for hackers to contribute to the GNU Project. For projects that are assigned to the FSF (such as GNU Emacs or GCC), dealing with the paperwork for assigning contributions can sometimes be a bottleneck in the process. We are always working on ways to make assignment itself simpler. We have accepted GPG-signed documents from U.S. contributors for some time now. Our legal counsel at the Software Freedom Law Center recently gave us the all clear to begin accepting GPG and electronic signatures from contributors in Italy. We would also like to thank Carlo Piana for providing local counsel on this issue as well.
  • It's Fall, still, and the Bulletin is out!
    As many of you are aware, twice a year we mail a new edition of the FSF Bulletin to our members and supporters via the good old United States Postal Service. The Bulletin comes together in just a few weeks, and this time we had to make an extra quick turnaround after celebrating FSF30.

Finding the right tool for the job

I've worked on many projects in my life so far, and almost all of them involve open source somewhere along the line. Below is a brief summary of some of the projects I worked on and the tools I used to work on projects in my own time, outside of work. Read more