MS vs. open source: Security's the same

[InfoSec News <isn () c4i org>]

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2857736,00.html

By Wayne Rash
March 25, 2002 
wrash () mindspring com

I already know that you're going to hate what I have to say. You'll no 
doubt send me strongly worded e-mails. Fine. We have a tough bunch 
here at ZDNet, and we can take it. 

When you read about the security problems of some open source 
applications and operating systems, some of you have nodded 
approvingly, and muttered words that sound a lot like "I told you so." 
Let's face it, all the smugness about the superiority of open source 
code has been pretty hard to take. 

Of course, the open source people claim that such charges simply 
aren't true. They say open source products are better because more 
people work on them and then distribute the patches--meaning that 
security holes get fixed right away. Microsoft, as the leading vendor 
of proprietary software, claims the same thing. 

The fact is, both sides have their share of problems--but neither side 
has the edge when it comes to fixing security holes. You're just as 
likely to encounter a security problem with open source code as you 
are with Microsoft Windows, and the fix is just as likely to appear 
quickly and be done properly. 

Normally, this is the point where Microsoft gets trashed for its 
seemingly endless list of security patches for Windows. That's not 
going to happen here. Yes, Microsoft does have a long list of security 
issues for which it has issued patches. But the fact that those 
patches exist means somebody in Microsoft is making sure those fixes 
are made. 

According to Steve Lipner, Microsoft's Director of Security Assurance, 
the company's Security Response Team operates seven days a week and 
has been known to issue patches to Windows security within hours of 
finding out about a problem. This sounds pretty responsive to me, 
certainly as responsive as the open-source solution to fixes--hoping 
someone steps up to the plate, creates a fix, and makes it available. 

The problems with security are not greater or fewer with Microsoft's 
code versus open source. They're just different. Want another opinion? 
In the FBI's ongoing list of the top 20 security problems, the number 
of Windows and open-source problems are about equal. The bottom line 
is that you should choose your OS or Web server software by how well 
it meets your needs--because these days, security really isn't the 
differentiating factor. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.