IT directors should take US-CERT's recent report about security vulnerabilities in Linux with a grain of salt,...
according to some Linux experts. Reading between the lines of the report, however, these same industry veterans see a clear indication that IT managers should be more concerned about the security of their applications than operating systems.
Most IT researchers and pollsters haven't figured out how to realistically compare open source security vulnerabilities with those of proprietary vendors. That's why, the experts say, the recent U.S. Computer Emergency Readiness Team (US-CERT) report should be taken with, well, about 500 grains of salt.
The upshot of the 2005 US-CERT annual report? That Windows is a more secure operating system (OS) than Linux or Unix because it had fewer vulnerabilities reports, just 812 compared to the others' combined total of 2,328.
That conclusion and the methodology of the US-CERT security study are fundamentally flawed, say experts. However, the report does have value, in that it shows that applications are very vulnerable to hackers.
"The main problem with this report is the way it counts things," says Mike McCallister, author of SUSE Linux 10 Unleashed, published by Sams Publishing. "When things are fixed, CERT puts out an updated alert."
The US-CERT study lumps two separate operating systems -- Unix and Linux -- together and puts open source applications in with that same category. Instead, US-CERT should reclassify its vulnerability figures according to which are Linux and open source application vulnerabilities and which are not, experts say. "Overall, there is a much larger pool of operating systems, applications and tools that can be classified as Unix/Linux than can be classified as Windows; thus the potential number of vulnerabilities may be correspondingly larger," says James Turnbull, security consultant for Commonwealth Bank of Australia and author of Hardening Linux from Apress. This categorization doesn't accurately compare the risk of deploying a particular Linux distribution or open source application versus that same risk with Microsoft Windows OS or applications.
US-CERT's methodology doesn't take into account that a Microsoft vulnerability and repair is reported once; but open source software -- including Linux -- is part of many vendors' products, so a single vulnerability and repair can be reported several times, according to John H. Terpstra, co-founder of the Samba open source project and author of books about Samba and IT security.
Terpstra also notes that repairs are made on open source products by many developers, and that increases the number of updates. Yet, the fact that there are many updates of open source vulnerabilities is a positive, not a negative, thing.
The open source process, where everyone can have a look at alpha and beta code, can lead to the discovery of more weaknesses in the code, McCallister says. This is also a good thing, in that flaws can be repaired quickly and, often, before hackers can exploit them.
On the flip side, "if there's a big hole in Internet Explorer, no one can find it easily; plus it's already out there on millions of machines," says Bernard Golden, CEO of Navica, a San Ramon, Calif.-based systems integration firm, and author of the Addison-Wesley book, Succeeding with Open Source. "The issue just last week with Microsoft not planning to release a high-priority security patch until the monthly security update illustrates the issue with vendors balancing security against brand/market position concerns."
"Proprietary vendors have, and will probably continue to, hide vulnerabilities," says Turnbull. "In the last year the refusal of vendors like Cisco, Oracle and Microsoft to acknowledge major vulnerabilities was well-documented." A prime example of this, he adds, was Cisco's attempt to suppress the findings of security researcher, Michael Lynn, who revealed a known Cisco router security flaw.
Look more closely, experts advise, at US-CERT's inclusion of open source applications in the Unix/Linux category. "Most of those items are not related to the core [Linux] OS," says Bryan Tidd, IT director for City of Canton, Ga. Also, others added, many open source products also run on Windows and can't be completely wedded to Linux.
"If you compare vulnerabilities [only] of the Linux kernel versus Microsoft Windows, you see a pretty vast difference...in Linux's favor," McCallister says.
You'll also see that more applications than OS flaws were reported. "The most striking thing to me is that by far the most issues are with applications and not with the base OS," says Golden. "This tells me that the OS vendor is doing a pretty good job and is conscientious, but that the bigger threat to IT orgs is in their apps."
The US-CERT report shows that an IT director's security plan has to include applications as well as infrastructure, Golden says. Also, IT directors should recognize that most environments have a mix of systems and thereby require a flexible security plan to address that environment.
Part of that plan should be comparing the security toughness of open source versus Microsoft applications, our sources say. They give Microsoft pretty good marks for finding most OS flaws in alpha and beta phases, but give a thumbs-down to Microsoft's due diligence of its enterprise applications.
On the other hand, Golden thinks the open source community's extended development cycles and freely-available downloads make for wider usage before products are released. "On balance, [this] leads to more secure applications," Golden says.
This article originally appeared on SearchOpenSource.com.