HomeBrainDump Page 2 - What we can Learn from Two Linux vs. Microsoft Studies
Secure the Databases - BrainDump
The question of which platform is better for running a business, Windows or Linux, has inspired debates that are nearly religious in their vehemence. Two studies came out this year that purport to settle the question, at least when it comes to issues of security and reliability. Do they really provide a final answer, or just more fuel for the fire?
The first report notes that database servers must “manage, store and retrieve data in a highly available way.” This should lead to concerns about security from the get-go, yet “security has been conspicuously absent” from the list of criteria that IT decision makers have used when choosing an appropriate platform. To study these issues, Security Innovation set up three systems as noted in the first section of this article, and considered vulnerabilities that were patched over the course of a year (from March 1, 2004 through February 28, 2005).
It isn’t quite an apples to apples comparison. The company was able to use the “minimal install” option for Linux and the MySQL database server, which, they note, “yields a smaller attack surface.” In the case of Oracle, SI went with the recommended configuration. With Microsoft, SI needed to do a “complete” installation because “there are many components which are difficult or impossible to completely remove from the operating system…” I leave it as an exercise for the reader whether such differences in the installations will yield meaningful results.
And what were those results? “Looking at just the database applications by themselves, our study found that SQL Server 2000 had zero vulnerabilities in the one year time period, MySQL had 7 vulnerabilities and Oracle 10g had the most with 30 vulnerabilities.” The full server stack results are even more shocking for open source supporters: 63 vulnerabilities for the Windows-based solution, 116 for the MySQL solution, and a whopping 207 for Red Hat running Oracle.
The study also examined what it called “days of risk.” That is the time between a vulnerability being publicly announced and the vendor releasing a patch. That time period was, on average, 32 days for the Windows-based solution, more than 61 days for the Linux-MySQL platform, and more than 38 days for Linux-Oracle. One aspect of this study that bothers me a little is that I can’t really tell how much it took into account the fact that volunteer support for Linux is strong enough that its forums will have fixes for bugs literally within hours of users becoming aware of them. In the executive summary, SI states that it worked with Mark Cox of Red Hat to resolve discrepancies in vulnerability disclosure dates, but still, Microsoft’s parallel is the monthly bug/security fixes it gives out. That should affect “days of risk.”
Perhaps one of the assumptions made by the study, for comparison purposes, sheds some light on this: “The user requires the features, trust, support and professional maintenance provided by a trusted software distributor.” In the case of Linux, this means that “users will only install versions of the OS components blessed and released by the OS vendor, so that their support contract remains valid.” But Linux administrators are used to seeking support in the various user forums; not accounting for that may cripple the study. Indeed, it is specifically stated, further down, that “It is assumed that Red Hat customers only install patches released by Red Hat…and are taking other similar steps to ensure they comply with their maintenance contract. Similarly, Windows customers only utilize fixes released by Microsoft.”
Correct me if I’m wrong, but that methodology seems guaranteed to maximize “days of risk” for the Linux system, and minimize vulnerabilities discovered and taken care of in the Windows system. If you are interested in reading more about this report, you can check out the full 44 pages here.