Linux wins on security in survey of 6,000+ software developers
| From: | lonn-AT-pageonepr.com | |
| To: | lwn-AT-lwn.net | |
| Subject: | Linux wins on security in survey of 6,000+ software developers | |
| Date: | Tue, 12 Apr 2005 07:00:49 EDT |
A poll of 6,000+ software developers released today shows that Linux consistently tops Microsoft Windows in terms of security. The full survey results will be given today (Tuesday, April 12) at the Software Security Summit in San Diego, CA. Linux More Secure Than Windows, National Survey Shows BZ Research survey of 6,344 software development managers shows Linux superior to Windows for operating system and application-level security attacks SOFTWARE SECURITY SUMMIT, LA JOLLA, Calif. April 12, 2005 In its first annual Security Issues Survey for the debut of the Software Security Summit conference in La Jolla, California, BZ Research polled 6,344 software development managers about the security of different popular enterprise operating environments and Linux and open source consistently topped Microsoft Windows, according to respondents. Summary findings of the initial results will be presented today at the Software Security Summit by conference chairman Alan Zeichick. The summit features more than 30 sessions and speakers, including keynote presentations by Mary Ann Davidson, Chief Security Officer for Oracle Corporation, Amit Yoran, former cyber chief in the Department of Homeland Security, and James A. Whittaker, noted author of books on security and Chief Scientist at Security Innovation, Inc. The Security Issues Survey initial findings showed software managers consistently ranked Linux more secure than Windows, with client operating systems and applications seen as most susceptible to security exploits. The survey also explored the use of security vulnerability assessment and testing tools, with most respondents saying their organizations don't do enough testing and that they plan to do more. The margin of error for the survey is 2.5 percentage points. Asked to rate the security of server operating environments against operating system related hacks and exploits, Windows Server fared worst by far. Some 58% rated Windows Server very insecure or insecure versus 13% for Linux. Sun Solaris fared best, with only 6% rating the operating system very insecure or insecure. On the positive side, some 74% of respondents rated Linux secure or very secure versus only 38% for Windows Server. Sun Solaris was rated secure or very secure by 66%. Asked about the security of operating systems against application-related hacks and exploits, Windows Server was again rated least secure. Some 58% of respondents rated Windows Server as very insecure or insecure versus 18% for Linux. On the other hand, Linux was deemed secure or very secure by 66% of respondents versus only 30% for Windows Server. When queried about comparing the security of open source versus proprietary software in eight categories, open source was the clear winner in four of the categories: desktop/client operating systems (44% to 17%); Web servers (43% to 14%); server operating systems (38% to 22%); and components and libraries (34% to 18%). Proprietary software was said to be more secure than open source in only one category, database servers (34% to 21%). Results were statistically the same in three categories: desktop/client applications, server applications and application servers. About Software Security Summit Software Security Summit, produced by BZ Media, is the premier event for the software security industry. The summit brings together the industry's leading experts to help development managers, software architects, applications programmers, and other IT professionals understand the specific security weaknesses in their software infrastructure. The debut summit will be held April 12-14, 2005, at the Hyatt Regency La Jolla, in San Diego, Calif. For more information, visit http://www.S-3con.com. ### Editorial Contact: Lonn Johnston Page One PR for Software Security Summit +1.650.565.9800 x101 lonn@pageonepr.com
(Log in to post comments)
Linux wins on security in survey of 6,000+ software developers
Posted Apr 12, 2005 19:17 UTC (Tue) by jwb (guest, #15467) [Link]
A developer survey reflects popular opinion versus actual experience. How about a survey of sysadmins? That would be more interesting. Given that every kernel released prior to April 4, 2005 has an exploitable SMP race, I think you'll hear a slightly different opinions. Said opinion may be of the form "Everything is crap!"
Linux wins on security in survey of 6,000+ software developers
Posted Apr 12, 2005 19:44 UTC (Tue) by hppnq (guest, #14462) [Link]
Strange reasoning, that would apply to any exploit ever published.Judging from my own experience I'd say that most sysadmins -- and, more importantly, management -- I have met haven't got the faintest clue about security anyway. I have seen horrific stuff you wouldn't believe, at big, big companies.
But then, I am in a bad mood today, having had to deal with this very problem all day.
Clueful?
Posted Apr 14, 2005 8:44 UTC (Thu) by shane (subscriber, #3335) [Link]
Most sysadmins and developers I know are superstitious. By this I mean that they don't want to understand the reason why things are, but rather just get them to work.While this makes some sense from an engineering standpoint, I still cringe when I see people typing "sync; sync".
Clueful?
Posted Apr 14, 2005 14:59 UTC (Thu) by utidjian (guest, #444) [Link]
I am an adittedly superstitious sysadmin; and I want to know why you would cringe when you see someone type sync; sync ? Would it make you cringe less if they typed sync&& sync ? If so, why?-DU-...etc...
Clueful?
Posted Apr 14, 2005 16:29 UTC (Thu) by jwb (guest, #15467) [Link]
I thought his point was, the second sync has no value. At least I hope that's his point.
Clueful?
Posted Apr 14, 2005 19:25 UTC (Thu) by roelofs (guest, #2599) [Link]
I thought his point was, the second sync has no value. At least I hope that's his point.Tsk, newbies. ( ;-) )
Kernel-page article from three years ago:
How synchronous should sync be? Andrew Morton has posted a patch fixing a perceived problem with the sync() system call: as long as processes keep generating data, sync() will keep flushing it to disk. The result is that a sync command can take a long time to execute - as in several minutes. Andrew's patch changes sync() to just ensure that all data to be written when the call is made gets out - buffers generated thereafter may not be written immediately.This patch, of course, changes a fundamental assumption made by many who use sync - that, upon completion, all data has been written to disk. In fact, according to the Single Unix Standard, this behavior is permissible: "The writing, although scheduled, is not necessarily complete upon return from sync()" It is, regardless, not the behavior that many expect.
There's no real consensus on what the proper behavior is. Unless Linus takes the patch, the current sync behavior will remain.
So I'm thinking the second and maybe even third sync has some value. :-)
(And I'm pretty sure I remember a followup, as well, in which further details were presented--for example, that there were already cases in which the "expected behavior" was not actually the real behavior--but I don't remember for sure. Maybe it's just my fevered imagination again...)
Greg
Clueful?
Posted Apr 14, 2005 21:37 UTC (Thu) by Zartan (guest, #23725) [Link]
More to the point, it's better to do:typed in by hand, than either of the above. Why? Because the second or two that it takes to type the second sync helps compensate for the "scheduled but not necessarily written" aspect of POSIX sync(). Works on all *nixes.# sync # sync
Representative samples: the Holy Grail
Posted Apr 18, 2005 18:20 UTC (Mon) by Max.Hyre (subscriber, #1054) [Link]
If I took anything away from my statistics courses, it's that the absolutely hardest part to get right is sampling. (Though figuring the right statistical analysis to use is close behind.)
It's hard because you have to
- First, figure what your sample population is: Sysadmins? Developers? CIOs? A mixture of them in various proportions? Can you determine that subset which knows what they're talking about?
- Then you have to figure how to generate a random sample of the members of your population---not trivial.
- Next, how do you reach that set of the population? Always have Dewey vs. Truman floating in front of your eyes. (They reached their sample population [the electorate] by telephone, heavily biasing it [in 1948] toward the well-off. For gory details, google for `truman dewey poll'.)
- Finally, after doing a good job of all of the above, you have to get your sample to respond to you. How many will be on vacation in Lower Slobovia? How many pick up their voicemail, or look at their e-mail, frequently, responding in time to do you any good? How many will downright refuse to have anything to do with you? Discarding these sample points, either by not counting them, or choosing someone else in their stead, puts a real dent in randomness.
So, just as you understand ``surf over here and answer some questions'', or ``dial in to tell whether you prefer Princess Di or Camilla'' polls to be nothing more than a form of entertainment, any poll like BZ Research's has to be taken with many grains of salt.
The whole thing is dubious without clear description of all the above criteria, analyzed by a knowledgeable, disinterested observer. Look at research reports in Science or Nature to see the sort of detail I mean. I'd bet a candy bar that the ``2.5 percentage points'' is nothing more than the number they looked up in a table for a sample size of 6k.
And now, for some entirely-different bias, look no further than the polls on the nightly news. They tend to be self-fulfilling prophecies: ``Well, if everyone feels like that, why should I bother to vote / call my Senator / complain to the Planning & zoning board?'' ``Hmmm, if no one's using Linux, I should hold off.''
I hope I've loosened your faith in polls somewhat. :-/