Slashdot Mirror
Linux Distributions Respond to Forrester
dave writes "GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."
...try this, from good o'l News.com: Moving to Linux May Not Save Money -- Yet .
This wasn't just plain terrible, this was fancy terrible. This was terrible with raisins in it. - Dorothy Parker
(site loads slowly. here we go in case of /.'ing)
GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.
The security response teams of GNU/Linux distributors Debian, Mandrakesoft, Red Hat and SUSE have assisted Forrester in gathering and correcting data about vulnerabilities in their products. The gathered data was used at Forrester for a report that became titled "Is Linux more secure than Windows?". While the Linux vulnerability data that is the basis for the report is considered to be sufficiently accurate and useful, Debian, Mandrakesoft, Red Hat and SUSE, from now on referred to as "We", are concerned about the correctness of the conclusions made in the report.
We believe that it is in the interest of our usership and the OpenSource community to respond to the Forrester report in the form of a common statement:
We were approached by Forrester in February 2004 to help them refine their raw data. Forrester collected data about the vulnerabilities that affected Linux during a one year period and looked at how many days it took us to provide fixes to our users. Significant efforts have been put in not only making sure that the underlying dataset for the Linux vulnerabilities was correct, but also to articulate the special technical and organisational care taken in the response processes in the professional Open Source security field. This expertise is greatly appreciated by our usership since it adds a high value to our products, but we see that most of this value has been ignored in the methods used for the analysis of the vulnerability data, leading to erroneous conclusions.
Our Security Response Teams and security specialized organisations of respectable reputation (such as the CERT/DHS, BSI, NIST, NISCC) exchange information about vulnerabilities and cooperate on the measures and procedures to react to them. Each vulnerability gets individually investigated and evaluated; the severity of the vulnerability is then determined by each of the individual teams based on the risk and impact as well as other, mostly technical, properties of the weakness and the software affected. This severity is then used to determine the priority at which a fix for a vulnerability is being worked on weighed against other vulnerabilities in our current queue. Our users will know that for critical flaws we can respond within hours. This prioritisation means that lower severity issues will often be delayed to let the more important issues get resolved first.
Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availiability of a vendor's fix. For each vendor the report gives just a simple average, the "All/Distribution days of risk", which gives an inconclusive picture of the reality that users experience. The average erroneously treats all vulnerabilities as equal, regardless of the risk. Not all vulnerabilities have an equal impact on all users. An attempt has been made to allocate a severity to vulnerabilities using data from a third party, however the classification of "high-severity" vulnerabilities is not sufficient: The mere announcement of a vulnerability by a particular security organisation does not necessarily make the vulnerability severe - similarly, the ability to exploit a weakness over the network (remote) is often irrelevant to the vulnerability's severity.
We believe the report does not treat the open source vendors and single closed source vendor in th
Probably another Microsoft funded event.
you would be correct
From the article:
"In 2003, Microsoft Corporation commissioned Forrester Research, Inc., to conduct a study to measure the potential market of people in the United States who are most likely to benefit from the use of accessible technology for computers."
[Update: Apr 6 at 7:58pm CDT... Martin Schulze from the Debian team added some more information.] Javier Fernandez-Sanguino Pena composed a survey in 2001[*] and discovered that it has taken the Debian security team an average of 35 days to fix vulnerbilities posted to the Bugtraq list. However, over 50% of the vulnerabilities where fixed in a 10-days time frame, and over 15% of them where fixed the same day the advisory was released! For this analysis, all vulnerabilities were treated the same, though. He has rerun the survey based on vulnerabilities discovered between June 1st 2002 and May 31st 2003 and found out that the median value of delays between the disclosure and releasing an advisory including a correction was 10 days (average is 13.5 days). Again, for this analysis advisories were not classified with different priorities.
Microsoft finds their flaws in a number of ways, businesses that report them, and white hat hackers they do this for a living.
But to answer your question a little better. If you look back at the flaws in IE, consumers, not businesses, were the ones that got attacked before the patches were out. Again, because it was a person, it is hard to track down the exact problem that occured to them. IE has the flaws that were exploited before the patches came out. Phishing scams from the address bar.
-- johntracy.com, because everybody else is wrong.
Sure. So is the Fedora project (though you could call them "RedHat", and not be too far off).
I rely on then for providing me a rock-stable, thoroughly tested distribution and any security upates to that distribution.
I, in turn, (since I'm not a really good coder) spread the good word that these people know what they're doing. If I find a bug or security vulnerability, I report it to them ASAP. I also test out thier new stuff, and report bugs and such for them, and suggest ways that thye might improve thier products.
They give me something, I pay them in the currency they want. They are indeed a vendor.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
You are right in your suspicions that these sort of "studies" are commissioned by Microsoft as part of their marketing strategy (just part of the business--Oracle, Sun, IBM etc parade studies flatter their products as well after all). However, I don't dwell at all on these sorts of studies and I certainly wouldn't give them any meaningful weight when making a decision on deploying Linux (or not).
Even given the positive spin towards Microsoft, however, Forrester's comments on the study are a barely lukewarm endorsement of Microsoft, and don't seem to be too critical of Linux. Check out some of the comments by Forrester analyst Laura Koetzle:
Surprisingly, Microsoft did the best job at patching vulnerabilities fast, even though it ranked at the top with the largest percentage of its security holes rated as high
So they DID acknowledge that Microsoft's platform had the most HIGH RISK vulnerabilities, althought this fact is glossed over in the article. Koetzle also acknowledges that the study did NOT look at how WELL the patches addressed the problem (MS often needs to issue more than one patch to get it right, and sometimes they fix one bug and introduce another).
"The fact that the Linux distributors fixed such a high percentage of their vulnerabilities is a remarkable achievement," she said. "Even Debian, in last place, was pretty darn thorough."
Sure doesn't sound like something you'd expect an MS-paid cheerleader to day about the competition...
This is very much a case of your mileage may vary
Translation: even if patches are made fast they can still leak...
The bottom line? Any of these platforms can be operated securely
Quite the ringing endorsement for MS ain't it? Nice to see their people so solidly back their studies...
reference
I don't buy for a minute that 1) Microsoft releases patches faster or 2) that Microsoft even gives a damn about security, except for the black eye it gives them.
I think it was Stanford University that got hit with some of the RPC DCOM vulnerabilities before a patch was released. No, it wasn't one of the worms, it was hackers backdooring systems.
SARA is akin to MSBA and similar tools (some free, some not).
.NET supports sandboxing similar a chroot jail if an application asks for it. Windows supports junction points, which can be used (but I've never seen used) to contain a particular application to a particular volume (which could be a virtual device, or similar).
Microsoft publishes extensive security checklists for various roles, and automates this process for the most likely deployment scenarios via the IIS Lockdown tool and local / group policy templates. You can manage a large fleet of computers using Group Policy in AD, so your lockdowns quickly apply to all computers, not just one.
Nessus scans at the network level and works acceptably to find most Windows network-based vulnerabilities. I use Nessus myself when doing vulnerability assessments as a shortcut / initial pass. Nessus is not good at finding configuration or local user weaknesses.
However, in Windows, the use of ACLs, low privilege service accounts, and utilizing fine grained privileges replaces big ass isolation required by Unix-like operating systems simply because most Unix-like OSs don't have this level of security architecture or fine grained access control.
I don't use SAINT, so I have no comment on that.
Just because an OS is different or you personally don't have knowledge of lockdowns, doesn't make another OS insecure. It requires bad coding practices and poor configuration to do that. Thanks to Windows' popularity, there's more than enough of this to go around.
Andrew
Andrew van der Stock
I only wish.
I worked for a world known brand that took these very seriously. They took a bunch of Jupiter reports (IIRC, they are basically the same thing). They based the whole IT strategy on a these things. All handed down from the global management team "The new direction". "We will use only best of breed" (MS and cisco) "no linux on the desktop" (surprised me that that was mentioned specifically) and a bunch of other things that basically came directly out of a bunch of these reports.
I think this is similar to people who watch fox news and think it is telling the whole truth. (if you have to proclaim yourself fair and balanced you probably aren't. think honest eddy at the used car dealership is honest?) These reports claim to be objective, but as other posters have pointed out, they tend to follow the money.
Their logic seems to be windows IP will bolster Solaris!?! Wow.
Betcha microsoft or some exec who gets a bonus paid for that report.