Which server environment is more secure? Windows or Linux? This question has been debated to the nth degree at the various computer forums, blogs, and numerous other places.
A study conducted by Security Innovation may give a more definitive answer, although it will probably just re-ignite the old arguments. In an extensive white paper, the Security Innovation team compared, amongst other things, the number of vulnerabilities each server environment faced. The study also compared the amount of time a security risk remained a risk to the server setup in question.
This was done in order to determine which environment was most at risk. In order to present solid findings, the team tested their data under the different installation configurations available. The white paper offers cumulative results and they may surprise some readers.
Among other things, the study concludes:
“On balance, as security practitioners, we know that both the Red Hat and Microsoft solutions can be used to provide a secure solution when deployed and administered with the right skills and under the right policy. Based upon both counts/lifecycles of bugs and the absence/presence of qualitative drivers of security, it appears that Microsoft may have an edge in many environments.
Put another way, looking at the software security factors that each vendor has the ability to directly affect – software security quality and security response – the data shows that a web server workload built using Windows Server 2003 has fewer security vulnerabilities requiring customer mitigation or patching than a similar workload built on Red Hat Enterprise Linux.”
Microsoft potentially safer than Linux? The reaction should be quite interesting.
PS: Security Innovation runs IIS 5.0