FOR - Richard Ford, Research prof., Florida Institute of Technology
Any time one compares Linux and Windows security one risks unleashing a cataract of opinion.
Everyone claims to know the answer, but few have facts to substantiate their version of the truth. When Dr. Thompson and I set out to measure the "days of risk" accrued when running a web server, it was obvious we were measuring just one element of security.
In these areas in particular, I believe Linux has the edge over Windows.
Ultimately, part of the problem is that most users are not sure what they mean by "more secure." Does that mean less attacked? Does that mean less likely to be exploited? Some of the confusion surrounding our work is directly related to this lack of clarity regarding the base question.
The simple truth is that I've been running a variant of Linux at home for over a decade and I have no intent to move to Windows Server 2003. The bottom line is that both OSs can provide a robust and secure solution for most roles; for me, what matters is familiarity and control. When using Linux, I have both.
AGAINST - Herbert Thompson, Director, Security Innovation
Early in 2004 Dr. Ford and I began a study to compare the security of Linux and Windows in ways that would be meaningful to users. We soon found that opinions on inherent security were plentiful, but digestible facts that were helpful for IT decision makers were scarce.
Any platform decision is likely to have a long-term impact. It's essential to look at today's security as well as what vendors are doing to prepare for the security challenges of tomorrow.With Microsoft, we have the Trustworthy Computing Initiative. In Linux, we have a strategy of modularity and an array of individual components that users can cobble together to form a solution.
The bet then comes down to directed solution improvement versus component evolution. At the February RSA conference, Dr. Ford and I bet $20, he on Linux and I on Windows.
Based on the number of vulnerabilities in 2004 and the average period of exposure for each, I and Windows claimed victory, and the money. But the true winner will be decided on corporate balance sheets years from now.