TechRepublic : A ZDNet Tech Community

IT Security

Host: Chad Perrin
Contact

Linux-based systems get a lot of press in IT trade publications. A lot of that press relates to its security characteristics. In fact, some claim “Linux is the most secure operating system (OS) of them all.” Such statements are, of course, unsupportable hyperbole; while many Linux distributions may outshine both MS Windows and Apple MacOS X by a significant margin, there’s evidence to suggest that most Linux distributions are not up to the standards of FreeBSD, for instance — let alone OpenBSD, with possibly the best security record of any general-purpose operating system.

That’s even leaving out special-purpose OSes such as a number of RTOSes, IBM i, OpenVMS, and TrustedBSD. In the sense that many people tend to think first, foremost, and often only of Linux-based systems when they think of open source OSes (and even think of “Linux” as an OS without distinguishing between distributions), however, they have a point: all else being equal, a popular open source OS has definite security advantages over a popular closed source counterpart. Linux distributions are far from the only open source operating systems, though. Just for the sake of argument, insofar as Linux is emblematic of open source OSes, then, and that MS Windows is emblematic of closed source OSes, it may not be so unrealistic to say “Linux is the most secure OS of them all,” where “them all” consists of only two choices — but the world is not that simple.

“Linux” in the abstract, however — as a stand-in for the average Linux distribution — is simply not the most secure OS available by a more comprehensive view of OSes. There are, in fact, some Linux distributions that have been created for research purposes that are intentionally as poorly secured as possible in default configuration. The range of default configuration security for Linux distributions spans a broad array of choices between “intentionally as airtight as a screen door” and Hardened Gentoo. Obviously, the average, or the norm, is somewhere between the two.

Furthermore, determining a “most secure” OS is not as straightforward as it might at first sound. One of the most common criteria used by people who don’t really understand security, and by those who do understand it but want to manipulate those who don’t with misdirection and massaged statistics, is vulnerability discovery rates. Those of us who know better are aware that there’s a lot more to security than counting vulnerabilities. Other, more credible criteria, may involve factors such as:

  • code quality auditing
  • default security configuration
  • patch quality and response time
  • privilege separation architecture

. . . and a whole lot more.

Even if we ignore any OS that won’t, for instance, run a popular browser (such as Firefox), a popular email client (such as Thunderbird), and a popular office suite (such as OpenOffice.org) in a WIMP GUI on an Intel x86 architecture computer, the average Linux distribution doesn’t beat every other option in all categories by any stretch. Ubuntu Linux, arguably the Linux distribution with the greatest mindshare, certainly doesn’t.

In fact, for every category that occurs to me off the top of my head as I write this, there are operating systems that beat Ubuntu on every category, some of which are actually other Linux distributions — even if some people say Ubuntu is the most secure Linux distribution. Of course, if that was true, and it was true that Linux was the most secure OS, that would make Ubuntu more secure than OpenVMS. Suffice to say I don’t buy that implication.

If you’re one of those people inclined to say “Linux is the most secure operating system of all,” you should probably rethink that. A much stronger case can be made for the security of some other OSes than the average Linux distribution. Even if it couldn’t, the variability of Linux distributions in general, and the differing criteria for the security of an OS that may come into play in comparisons, make such a statement quixotic at best.

The long version of the answer to the question “Is Linux the most secure OS?” is that it depends on what OSes you’re comparing, or whether you’re comparing specific OSes at all (instead of something like “open source vs. closed source”), and for what purposes you mean to evaluate the security of an operating system. If you make claims like that, someone who knows better will have an easy way to discredit your argument. Be more specific, not only in your arguments, but in your thinking — because it’s too easy to form bad habits that may lead to making bad decisions about your own security, and because giving people inaccurate information about security like that can create real problems. If you mean that all else being equal popular open source OSes are more secure than popular closed source OSes, say so. If you mean that Ubuntu’s default configuration is more secure than MS Windows Vista’s, say so. Just saying “Linux is the most secure operating system of all,” on the other hand, is imprecise and inaccurate.

The short version of the answer, of course, is “No.”

Chad PerrinChad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools. Read his full bio and profile.

Print/View all Posts Comments on this blog

Is Linux the most secure OS? apotheon | 06/17/08
No and I have not The Scummy One | 06/17/08
thanks apotheon | 06/17/08
The most secure OS is the one disconnected from the network jimk_z | 06/18/08
for network security . . . yes apotheon | 06/18/08
In that case, Palmetto | 06/20/08
Thank you ben.rattigan | 06/20/08
that depends apotheon | 06/20/08
dont want to sound like a dick but... scank | 06/22/08
Shouldn't that be... gazoi | 06/24/08
Most secure OS for me... boxfiddler | 06/17/08
I dont think there is one ben.rattigan | 06/18/08
I've found market share to be a better measure of popularity Neon Samurai | 06/18/08
I am not saying which is more secure ben.rattigan | 06/19/08
I missed the perception part Neon Samurai | 06/19/08
What worries me more Dumphrey | 06/20/08
on the other hand apotheon | 06/20/08
I see your point Dumphrey | 06/20/08
hard to believe apotheon | 06/18/08
Again I never said which is more secure ben.rattigan | 06/19/08
what you said apotheon | 06/19/08
Poppycock,! ooh your so 19th century! ben.rattigan | 06/20/08
it still measures popularity not potential security Neon Samurai | 06/20/08
to ben.rattigan: your analogy revisited; to Neon Samurai: good work apotheon | 06/20/08
Chill ben.rattigan | 06/24/08
Shouldn't widespread use improve the security posture? Neon Samurai | 06/24/08
you would think so ben.rattigan | 06/24/08
I use the same OS for my server and workstation builds at home Neon Samurai | 06/24/08
the same OS apotheon | 06/25/08
popularity and security apotheon | 06/24/08
ha, I remember that one Neon Samurai | 06/24/08
author's name apotheon | 06/25/08
to be precise . . . apotheon | 06/24/08
Chill out mate ben.rattigan | 06/25/08
What? apotheon | 06/25/08
Huh, given his one of his recent articles Tony Hopkinson | 06/25/08
I had to learn a bit about as400 for work Neon Samurai | 06/26/08
My most secure OS? DOS Neon Samurai | 06/18/08
Most secure OS is either CyberGuard MLS UNIX or CGLinux robo_dev | 06/18/08
certification apotheon | 06/18/08
These certifications mean it passed in-depth security testing robo_dev | 06/18/08
I'm familiar with them. apotheon | 06/18/08
Well I really do not place faith in any certification robo_dev | 06/19/08
certification vs. research apotheon | 06/19/08
Hacking competition: owner of the hacked system pays 1000?. techrepublic@... | 06/24/08
depends . . . apotheon | 06/24/08
Here is a question for you DanLM | 06/17/08
Yes, keep thinking :) The Scummy One | 06/17/08
not necessarily . . . apotheon | 06/17/08
However, it seems to be that The Scummy One | 06/18/08
defining OS security apotheon | 06/18/08
For the sake of convenience Dumphrey | 06/20/08
Beautiful! apotheon | 06/20/08
A friend just got a sysadmin Dumphrey | 06/20/08
security vs. functionality apotheon | 06/20/08
Security vs Functionality Dumphrey | 06/20/08
well... pgit | 06/19/08
Mandriva 2007 also Neon Samurai | 06/19/08
default firewall config apotheon | 06/19/08
corrected... pgit | 06/21/08
early *nix vs early windows, yes jdclyde | 06/17/08
How do you mean that? apotheon | 06/17/08
for virus, malware and firewall jdclyde | 06/18/08
Linux does it's firewalling in the kernel and I'm guessing BSD does also Neon Samurai | 06/18/08
And have you found anything? jdclyde | 06/18/08
Last viral hit I saw was a Windows box Neon Samurai | 06/18/08
firewalls apotheon | 06/18/08
true, windows firewall could be implemented far better Neon Samurai | 06/18/08
I think there are 2 points about nix firewalls that make them different DanLM | 06/18/08
Okay, thanks. apotheon | 06/18/08
for virus, malware and firewall jdclyde | 06/18/08
Virus on Linux? normhaga@... | 06/18/08
You have seen this? jdclyde | 06/18/08
log question for ya. Jaqui | 06/18/08
Never saw that jdclyde | 06/18/08
I've seen it a lot. apotheon | 06/18/08
odd, Jaqui | 06/19/08
How does it compare with similar attacks on Windows ben.rattigan | 06/24/08
Windows-targeted attacks apotheon | 06/24/08
I've been jacked twice and learned each time Neon Samurai | 06/18/08
I'll start by knocking on wood for luck. apotheon | 06/18/08
others; learn, heed my example Neon Samurai | 06/18/08
Yup, cleaned a rootkitted RH9 box... robo_dev | 06/18/08
That sucks . . . apotheon | 06/18/08
He said 'hacked' in his opening statement, your honor robo_dev | 06/18/08
his question apotheon | 06/18/08
I have seen it... normhaga@... | 06/19/08
And here is another... normhaga@... | 06/19/08
Excellent post! JCitizen | 06/24/08
It's a lot more than a "tad" TripleII | 06/18/08
re: phishing apotheon | 06/18/08
Since you wont look. normhaga@... | 06/19/08
What this means... normhaga@... | 06/19/08
I miss Phrack Neon Samurai | 06/19/08
Google Phrack. normhaga@... | 06/19/08
they still publish!?.. oh.. oh.. oh.. oh.. Neon Samurai | 06/19/08
please do better in the future apotheon | 06/19/08
Apotheon normhaga@... | 06/19/08
not lately... pgit | 06/19/08
even worse apotheon | 06/19/08
Yes, lately.... normhaga@... | 06/19/08
Yes snideley59@... | 07/18/08
egad apotheon | 07/18/08
server-oriented design and security apotheon | 06/17/08
um, Dan Jaqui | 06/18/08
But Jaqui jdclyde | 06/18/08
it was Jaqui | 06/18/08
cd rom jdclyde | 06/18/08
that brings back memories.. ah.. my first hard drives Neon Samurai | 06/18/08
it was also a time slicer.. poor.. but partially effective Neon Samurai | 06/18/08
Windows 3.11?? How about Windows 1.0, 2.0, and Windows 386? robo_dev | 06/18/08
You've a good point there j-mart@... | 06/18/08
Are any Reasonable Statistics Available?? bcarpent1228@... | 06/17/08
statistics apotheon | 06/17/08
Why are statistics uselss? ben.rattigan | 06/20/08
two things apotheon | 06/20/08
No ben.rattigan | 06/24/08
Nope, it isn't Jaqui | 06/18/08
Your chosen flavor is? jdclyde | 06/18/08
lfs Jaqui | 06/18/08
Drove me nuts jdclyde | 06/18/08
That goes to show software developers can share some of the blame Aldanatech | 06/18/08
exactly. Jaqui | 06/18/08
Developers for games on Windows boxed jdclyde | 06/18/08
hahaha... jck | 06/18/08
the future of the computer game industry apotheon | 06/18/08
games seem to be one of the most broken buggy groups of code Neon Samurai | 06/18/08
not exactly apotheon | 06/18/08
User mode drivers, what? seanferd | 06/19/08
W^X apotheon | 06/20/08
I'd be most interested to read that seanferd | 06/20/08
tech manuals apotheon | 06/20/08
You can't use a broad brush. TripleII | 06/18/08
knoppix can be owned until reboot Neon Samurai | 06/18/08
Furthermore . . . apotheon | 06/18/08
The browser is in charge of data in transit, not the OS robo_dev | 06/18/08
I'm not sure . . . apotheon | 06/18/08
I agree with you robo_dev | 06/19/08
the potential problems are legion apotheon | 06/19/08
How do you 'own' a read-only file system? robo_dev | 06/18/08
ahem apotheon | 06/18/08
Heck, TR's own login form is unencrypted Neon Samurai | 06/18/08
indeed apotheon | 06/19/08
The other day I signed up for a service Sterling "Chip" Camden | 06/19/08
"won't name them here" apotheon | 06/19/08
That's OK, I just use my junk passwords here... JCitizen | 06/24/08
a system get's pwn'd not a partition type Neon Samurai | 06/18/08
It was almost like you read my mind Neon... JCitizen | 06/24/08
I have my moments.. I think I'm having another one now.. no, it passed :) Neon Samurai | 06/24/08
RE: Is Linux the most secure OS? cboom@... | 06/18/08
Author needs to learn - HAHAHA! You funny! JCitizen | 06/24/08
A couple of years ago, lastchip | 06/19/08
Sort of like car locks Sterling "Chip" Camden | 06/19/08
indeed apotheon | 06/19/08
I'll make a guess Neon Samurai | 06/19/08
/me pushes a little further. Is it broken yet? apotheon | 06/19/08
we're soo close.. this sucker has to break.. here. bend it aroudn that pole Neon Samurai | 06/20/08
. . . but: apotheon | 06/20/08
ha.. I knew it would break eventually.. Neon Samurai | 06/20/08
Depnds on if you actually keep armor laying around... JCitizen | 06/24/08
I think you have supported my point here ben.rattigan | 06/20/08
nope apotheon | 06/20/08
Everyone I know Dumphrey | 06/20/08
OK I'll start again. ben.rattigan | 06/24/08
why does a Dos or win98 virus work on XP or Vista? Neon Samurai | 06/24/08
virus proliferation apotheon | 06/24/08
Neon. normhaga@... | 06/24/08
I love the smarter responses when I learn something Neon Samurai | 06/25/08
corporate responsibility apotheon | 06/25/08
I thought you'd snuck another one into the TR articles Neon Samurai | 06/25/08
Assembly, Linux, and other things. normhaga@... | 06/25/08
Off Topic Note for Neon Dumphrey | 06/26/08
Dumphry, good to know it's not just me Neon Samurai | 06/26/08
Coloured hats make my stomac churn Neon Samurai | 06/26/08
to: normhaga; a note for Neon Samurai apotheon | 06/26/08
Apotheon. normhaga@... | 06/26/08
Take your time Apotheon Neon Samurai | 06/27/08
Sort of, lastchip | 06/19/08
good points apotheon | 06/20/08
Define "security" ! emu2@... | 06/19/08
How about a new article as a response? apotheon | 06/19/08
Most secure is the one managed by the right people... brigido.arbeteta@... | 06/20/08
Not that simple Tony Hopkinson | 06/20/08
What I meant brigido.arbeteta@... | 06/20/08
Hmm you know that there's a very good argument Tony Hopkinson | 06/20/08
Again and again, If the product is not secure.... brigido.arbeteta@... | 06/21/08
We must be having a language difficulty here Tony Hopkinson | 06/24/08
RE: Is Linux the most secure OS? enoll1@... | 12/23/09
No, z/OS isn't the "far more secure", as a general rule. apotheon | 12/23/09

What do you think?

White Papers, Webcasts, and Downloads

Recent Entries

TR on Twitter

Archives

TechRepublic Blogs


Administrator's Guide to TCP/IP, Second Edition
Maintain your critical TCP/IP system and ensure reliable, safe remote access. Get the expert advice and solutions to handle Windows networking, Cisco routing, documentation, and troubleshooting.
Buy Now
500 Things Every Technology Professional Needs to Know
Did you know Microsoft's RegClean does not work with XP but you can use shareware to clean your registry? Did you know most wireless access points don't have encryption enabled by default? Did you know there are 500 tidbits of information contained in TechRepublic's 500 Things Every Technology Professional Needs to Know that will help you become a successful IT professional.
Buy Now

SmartPlanet

Click Here