Compare the number of vulnerabilities, security patch response, and information disclosure required for security management.
Security is now one of the most important issues when selecting a server OS. Security is a topic that deserves careful consideration, considering the losses caused by unauthorized access and system failure, as well as the time it takes to implement security updates.
However, in reality, there are many cases where people choose an OS based on unfounded rumor-level information or past information that is far removed from the current situation.
In this article, I would like to compare the security of Windows Server 2003 and Linux based on solid data.
Is Linux Really Safe?
When installing a server, we often hear the opinion that “Linux has higher security than Windows” as a reason to choose Linux, but is this really true?
In fact, there are many vulnerabilities in Linux
Many users have the mistaken preconception that Windows has more security holes and is less secure than Linux. The number of Linux-related vulnerabilities is not small, just because they are hard to notice. You can find out about this by going to the U.S. BugTraq site below and filtering out vulnerabilities by entering “RedHat” in the Vendor field. You can see that Linux-related software has as many vulnerabilities reported as Windows.
BugTraq vulnerability information
Despite these realities, why does the myth of Linux safety persist?
As mentioned in the first part of this corner, Linux strictly refers to only the kernel part. For this reason, when vulnerabilities are reported, only those against the kernel are reported as “Linux vulnerabilities,” and other software included in distribution packages are said under individual software names.
On the other hand, in Windows, vulnerabilities in standard Windows components such as the GUI, web server, and file server are reported as Windows vulnerabilities.
Although vulnerabilities are reported on a per-software basis, the entire distribution package is referred to as “Linux” when selecting an OS, leading to the safety myth that “Linux has few vulnerabilities and is highly secure.” This is thought to be a major reason why.
Is Open Source Responsive?
Another comment I often hear is that “Linux is open source, so the response time from when vulnerabilities are discovered to when they are fixed is quick.”. Certainly, this may be true if you are highly skilled at reading and understanding source programs on your own and modifying programs yourself to eliminate vulnerabilities. However, even if most system administrators have the skills, they will probably shy away from finding and fixing problems in huge amounts of source code due to cost and effectiveness. The reality is that no countermeasures can be taken until an updated program is released by the community that develops the program or the distributor. If so, we need to compare the time it takes for each distributor to free updates.
A research report by Forrester, published by Microsoft, compares the average number of days it takes for each OS to be updated after a vulnerability is disclosed. The following table summarizes it.
Also Read: Have You Heard About Cloud ERP Systems?
What is the software support period?
The software support lifecycle is one of the important factors that determines the lifecycle of the entire information system. This is because they cannot afford to continue using a system that has stopped receiving critical bug fixes and security patches.
Note that version 9 of SuSE Linux was released on August 5, 2004, so we compared the latest version here.
Microsoft provides all types of support (mainstream support), including free product support, bug fixes for individual environments, and requests for specification changes for five years after the product’s release. After that, security updates are provided free of charge. Inquiry support (extended support) is provided under a paid contract for five years, so in total, support will be provided for ten years from the product release.
Therefore, of the three products listed in the table, even though Windows Server 2003 was released the earliest, it is the last to receive support.
Judging from the values in the table alone, it seems that Linux distributions also provide relatively long-term support. If there is downsizing or dissolution, there is a high possibility that help will be greatly affected. Additionally, Linux distribution package products are developed by multiple foundations, and when they are upgraded, support policies for past versions are not always clear. Although this is still speculation, it is a cause for concern that cannot be ignored as a corporate user.