Now, on to a rebuttal of Paul Thurrott's argument, and a hint to others who have tried to run the vulnerability numbers through the analysis wringer. Thurrott claims that through the sheer raw-number of vulnerabilities calculated by BugTraq, Linux is less secure than Windows. Thurrott states: "If you break down those numbers by Linux distribution (despite the fact that Windows 2000 and Windows NT are lumped together), Win2K/NT had 42 vulnerabilities in 2001 (data is through August only), and the leading Linux distribution, Red Hat, had 54. In 2000, Win2K/NT had 97 and Red Hat Linux had 95." These numbers may, in total, be accurate. I don't dispute them. They appear to be slightly in Windows' favor. However, to my utter amazement, none of these industry observers has taken into account the substantial disparity in system functionality that is shipped on each platform and forms the software basis from which vulnerabilities arise. I reviewed the broadly categorised functionality packages that ship with Windows 2000 Server, presuming it be a reasonable superset of a generally available Microsoft platform. I counted approximately 120 subsystems in Windows 2000 Server. These include Internet Information Services Web server, Active Server Pages (ASP) Programming Environment, XML Parser, and so on. Now, to compare, I quickly researched a list of subsystems that are shipped with a modern Linux distribution. SuSe had just such a list available for its 7.3 Professional release, so I used it to represent the Linux side of the equation. The weigh-in? The Linux system had just under 2,600 packages. This means that, based on just this simple analysis, a modern Linux distribution ships with approximately 20 times more functionality in the box than what Microsoft ships with Windows 2000 Server. This is just a count of approximate functionality. With the hundreds of millions of lines of source code shipping for these platforms, a much deeper analysis would be untenable. When one does a quick and dirty calculation based on this new information, Linux, on a per-atomic-functionality basis, can be viewed as being 20 times more secure than Windows. This means that while Linux ships with 20 times as much material, it releases approximately the same number of security alerts as Windows. Despite playing my own numbers game, the point here isn't to bicker about the statistics behind the research. What our industry needs is for security to be elevated to the front and center of design and coding practices. Any organisation, community, or vendor that credibly attempts to achieve this is worth supporting. What should not, however, be condoned, are instances where an organisation or vendor touts this approach primarily as a cynical marketing exercise, without procuring end results. Con Zymaris is the CEO of Cybersource, a long-standing Australian IT & Internet Professional Services company.






