View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
April 7, 2004

Linux vendors cast doubt on Forrester’s security comparison

The Linux community has hit back at last week's claim by Forrester Research that Windows is more secure than Linux by claiming the firm's conclusions "have limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."

By CBR Staff Writer

That comment was part of a joint statement by representatives of Red Hat, Novell’s SuSE business, MandrakeSoft, and Debian, in response to Forrester report Is Linux more secure than Windows?.

That report was published last week and compared the number and frequency of publicly reported high-severity vulnerabilities in Windows and Linux and the time it takes Microsoft Corp or the open source community to make patches available for those vulnerabilities.

In order to assess the time taken to respond to faults Forrester produced two metrics for Linux: all days of risk and distribution days of risk with the difference being a measurement of how long it takes the Linux distributors to get a patch into their patch processes to their customers. As Microsoft is the supplier of patches for the Windows stack, there is only one number for its platform.

It is this issue, rather than research firm’s figures about the number of vulnerabilities, that has inflamed a response from the Linux distributors. Our users will know that for critical flaws we can respond within hours. This prioritization means that lower severity issues will often be delayed to let the more important issues get resolved first, read the statement.

Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availability of a vendor’s fix. For each vendor the report gives just a simple average, the ‘all/distribution days of risk’, which gives an inconclusive picture of the reality that users experience. The average erroneously treats all vulnerabilities as equal, regardless of the risk they pose.

In publishing the report Forrester said that it had normalized differences in vulnerability categorization as much as possible to try to measure the platforms against each other. It used the National Institute of Standards and Technology’s ICAT definition of high severity to classify vulnerabilities.

The Linux distributors also cast doubt on the Forrester statements regarding Windows vulnerabilities. The openness, transparency and traceability of the source code is added value in addition to the larger variety of software packages available. Finally, the claim that one software vendor had fixed 100% of their flaws during the period of the report should be incentive for a closer investigation of the conclusions the report presents, it read.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

The research firm found that the Windows platform had 126 security flaws in its stack between June 1, 2002 and May 31, 2003, with 67% of them being high-severity vulnerabilities, and that Microsoft fixed all 128 flaws in an average of 25 days.

This article is based on material originally published by ComputerWire

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.