Dueling Studies on Security and TCO in Windows and Linux

Friday, October 22 2004 @ 01:13 PM EDT

Contributed by: PJ

The Register has something you'll be interested in, a detailed study of security in Windows and Linux by Nicholas Petreley. The link is to the article, and the full report is here. The conclusion after all the slicing and dicing?

Linux is inherently more secure.

You might want to have the study handy when folks start quoting Steve Ballmer at you:

"'We're more secure than the other guys,' Ballmer said, blaming the sheer volume of attacks against his company's products on their popularity and the resulting fame that can be gained by hacking them. 'There are more vulnerabilities in Linux, it takes longer for Linux developers to fix security problems. It's a good decision to go with Windows.'"

According to Petreley, not true.

From Petreley's Executive Summary:

"We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3 . . . . The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.

"We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold."

If you like to do comparisons of your own, Microsoft's "Get the Facts" website has white papers galore, the best that money can buy, and some others as well. Laura DiDio's two-part study on TCO is hilariously headlined:

Large Enterprises: Switching from Windows to Linux "Prohibitively Expensive, Extremely Complex, Provides No Tangible Business Gains".

Talk about your loyal servant. She never adds in the cost of coping with viruses and other malware. *No* tangible business gain? I'd say having an inherently more secure operating system is a tangible business gain by any metric, but suit yourself. Joe Barr does his own analysis, factoring in the costs of a visit from the BSA. Here's another study, that found the opposite of Ms. DiDio:

"Companies with at least 2,000 employees can reduce their total cost of ownership (TCO) by as much as 26 percent over three years by using Linux servers over Windows, and 12 percent on open-source office applications over Office products from Microsoft Corp., said Soreon, an IT researcher who focuses exclusively on European markets."

The savings, they say, come from reduced license fees and operating costs. Even Gartner now says that Open Source is a value proposition. Gartner Vice President Mark Driver at their yearly conference Symposium/ITxpo is reported to have repeatedly said, "You'd be stupid not to use open source as part of your application management strategy." I'm sure he wasn't intentionally calling anybody else's study stupid or anything.

Speaking of headlines, here's my personal favorite, as a counterpoint to Microsoft's amusing spin on the DiDio study, from CXOtoday.com Business News for Technology Buyers:

"If Microsoft's Cheaper Than Linux, The Earth's Flat."

It says it all, no?