Linux Distributions Respond to Forrester

dave writes "GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."

The report and it's value

[jd]

Let's start by noting the existance of SARA and TARA for Unix, but not for Windows. It's hard to scan a box, locally, if you don't have the tools to do so. It's therefore correspondingly hard to fix problems under Windows.

Then, there is the relevence of bugs. SE-Linux makes many otherwise serious glitches a mere nuicense. As do other modules in the LSM.

There is no chroot() in Windows, to the best of my knowledge. This also changes the severity of a bug from catastrophic to irritant, in Unix.

Finally, Nessus and SAINT are more often used to scan Unix boxes than Windows ones.