Security Innovation has concluded research in a project comparing the security of various server platform with default and minimum Web Server configurations. The results of the research show that both Linux-based deployments contained more total security vulnerabilities and more "days of risk"-- the amount of time elapsed between public disclosure of a vulnerability and the issuance of a potential fix by a vendor--per vulnerability. The report also includes a step-by-step description of the repeatable methodology, so that others can duplicate and validate the results.
Specific results of the study include:
Vulnerability Counts: Both Linux-based deployments, featuring Red Hat Enterprise Linux ES 3 as the primary Web server, had more than twice the number of vulnerabilities reported and/or fixed in 2004 when compared to the Microsoft Windows Server 2003 deployment over the same time period.
Average Days of Risk: Both configurations of the Linux-based server platform had more than twice the average number of days of risk when compared to the Microsoft Windows Server 2003 deployment over the same time period.
Cumulative Days of Risk: When multiplied by the number of vulnerabilities reported in 2004, the number of total days of risk for each configuration of the Linux server platform was more than five times the cumulative number of days of risk for the Windows-based server over the same time period.
Analysis by Severity: In addition, analysis of each metric by severity showed that, while the minimal Red Hat configuration made a significant improvement over the average days of risk for vulnerabilities, it still experienced a higher number of severe vulnerabilities and a higher days-of-risk average than the Windows platform.
"Most of the evidence offered in a debate over the security of one operating system or application over another is anecdotal and generated from the individual user experience or the exploitation of one vulnerability. Security Innovation's methodology is designed to interject tangible, qualitative data into the debate," said Charles Kolodgy, research director of Security Products at IDC. "The flexibility in the approach taken serves as a foundation upon which other academic and professional research groups can build upon. Once future research projects that build on this research are conducted, a standard can be reached by which application and operating system security can be accurately assessed."
The Security Innovation study compares two technology platforms fulfilling the Web server role at a typical end-user organization. The Microsoft deployment included a Microsoft Windows Server 2003 running Microsoft Internet Information Services 6.0 (IIS 6.0), a Microsoft SQL Server 2000 database server and the ASP.NET application platform. The Linux-based deployment included a Red Hat Enterprise Linux 3.0 (RHEL 3.0) Server running an Apache Web server, a MySQL database server and the PHP application platform. The study compared the Microsoft Windows Server 2003 deployment, assuming every Windows Server package was installed and enabled, against two separate configurations of the Red Hat Enterprise Linux ES 3 deployment, one with minimal features active and one with default configurations.
"Our goal was to look at customer-focused comparative measures for vendors and platforms," said Dr. Herbert Thompson, a principal investigator for the study and director of security technology and research for Security Innovation. "By utilizing products and configurations that are most popular in real-world deployments, we generated results that will have the broadest impact and meaning among the end-user population. This research can help an enterprise make an informed decision as to which system is most secure for its unique business environment."
"We created the methodology and reviewed it with several industry peers so our research would be easy to follow and easily repeatable. We have already identified areas where we can expand our scope in future research studies," adds Dr. Richard Ford, the other principal investigator for the study and research professor of computer sciences at the Florida Institute of Technology (FIT).
In addition to engaging peer review from academic and analyst colleagues while developing and refining the methodology, Security Innovation has published a Methodology Paper available at the website below for public review. Analysts, media, industry experts and end-user organizations are encouraged to download the paper to examine how the study was conducted and repeat the research.
This study was funded by Microsoft and is the first release of an ongoing Security Innovation research project in cooperation with FIT, comparing the security vulnerability of proprietary Microsoft products to open-source alternatives.
"Unisys fully supports this level of detailed research, which is grounded in fact and scientific rigor," said Peter Samson, vice president and general manager of Enterprise Server Market Development at Unisys Corporation, after vetting the study's methodology. "Many reports offer high-level judgments, but do not share the empirical data that underlie those opinions. Microsoft has significantly improved the security of its products, and this report is further confirmation that mission-critical systems can be confidently built on Microsoft technology."
http://www.sisecure.com/resources/linux_windows.shtml