Tuesday, January 31, 2006

Linux Vulnerabilities Spur Enterprise Warning

When evaluating digital signage software, many will ask Webpavement about security. While this question is very broad, the conversation usually includes a Windows vs Linux analysis. Linux is perceived to be more secure than Windows - mostly because it is Open Source software. However, the jury isn't out on this subject.

InformationWeek's Johanna Ambrosio published an article that offers valuable data concerning this argument.

Here are some of the highlights as excerpted from the article:

Recently, the U.S. Computer Emergency Readiness Team, or CERT, reported that during 2005, Linux and Unix combined had 2,328 vulnerabilities, compared with 812 vulnerabilities for Microsoft Windows.

A separate query of the National Vulnerability Database (NVD)--maintained by the National Institute of Standards and Technology--yielded similar results: During 2005, there were 119 vulnerabilities reported in the core Linux kernel--the one used by all the various Linux distributions, says Peter Mell, the database's main administrator. This compares with 61 published vulnerabilities for Windows XP, according to the NVD. Moreover, the trend appears to be going upward. The 119 vulnerabilities found in Linux during 2005 compares with 47 in 2004, 16 in 2003, and 11 in 2002, Mell says.

As the popularity of Linux increases, some question whether the open-source development model will continue to serve Linux well from a security perspective. "To a large extent, this could be a failure with open source," says Ira Winkler, an independent consultant, president of the Internet Security Advisors Group, and author of Spies Among Us. The primary issue he sees is a lack of consistency in regression testing and other quality-control issues. Because many people may be contributing code in the open-source model, there's no way of being sure exactly how that code has been bulletproofed, or even whether any best-practice testing methodologies have been used across and between contributors.

No comments: