Linux wins on security in survey of 6,000+ software developers
| From: | lonn-AT-pageonepr.com | |
| To: | lwn-AT-lwn.net | |
| Subject: | Linux wins on security in survey of 6,000+ software developers | |
| Date: | Tue, 12 Apr 2005 07:00:49 EDT |
A poll of 6,000+ software developers released today shows that Linux consistently tops Microsoft Windows in terms of security. The full survey results will be given today (Tuesday, April 12) at the Software Security Summit in San Diego, CA. Linux More Secure Than Windows, National Survey Shows BZ Research survey of 6,344 software development managers shows Linux superior to Windows for operating system and application-level security attacks SOFTWARE SECURITY SUMMIT, LA JOLLA, Calif. April 12, 2005 In its first annual Security Issues Survey for the debut of the Software Security Summit conference in La Jolla, California, BZ Research polled 6,344 software development managers about the security of different popular enterprise operating environments and Linux and open source consistently topped Microsoft Windows, according to respondents. Summary findings of the initial results will be presented today at the Software Security Summit by conference chairman Alan Zeichick. The summit features more than 30 sessions and speakers, including keynote presentations by Mary Ann Davidson, Chief Security Officer for Oracle Corporation, Amit Yoran, former cyber chief in the Department of Homeland Security, and James A. Whittaker, noted author of books on security and Chief Scientist at Security Innovation, Inc. The Security Issues Survey initial findings showed software managers consistently ranked Linux more secure than Windows, with client operating systems and applications seen as most susceptible to security exploits. The survey also explored the use of security vulnerability assessment and testing tools, with most respondents saying their organizations don't do enough testing and that they plan to do more. The margin of error for the survey is 2.5 percentage points. Asked to rate the security of server operating environments against operating system related hacks and exploits, Windows Server fared worst by far. Some 58% rated Windows Server very insecure or insecure versus 13% for Linux. Sun Solaris fared best, with only 6% rating the operating system very insecure or insecure. On the positive side, some 74% of respondents rated Linux secure or very secure versus only 38% for Windows Server. Sun Solaris was rated secure or very secure by 66%. Asked about the security of operating systems against application-related hacks and exploits, Windows Server was again rated least secure. Some 58% of respondents rated Windows Server as very insecure or insecure versus 18% for Linux. On the other hand, Linux was deemed secure or very secure by 66% of respondents versus only 30% for Windows Server. When queried about comparing the security of open source versus proprietary software in eight categories, open source was the clear winner in four of the categories: desktop/client operating systems (44% to 17%); Web servers (43% to 14%); server operating systems (38% to 22%); and components and libraries (34% to 18%). Proprietary software was said to be more secure than open source in only one category, database servers (34% to 21%). Results were statistically the same in three categories: desktop/client applications, server applications and application servers. About Software Security Summit Software Security Summit, produced by BZ Media, is the premier event for the software security industry. The summit brings together the industry's leading experts to help development managers, software architects, applications programmers, and other IT professionals understand the specific security weaknesses in their software infrastructure. The debut summit will be held April 12-14, 2005, at the Hyatt Regency La Jolla, in San Diego, Calif. For more information, visit http://www.S-3con.com. ### Editorial Contact: Lonn Johnston Page One PR for Software Security Summit +1.650.565.9800 x101 lonn@pageonepr.com
Posted Apr 12, 2005 19:17 UTC (Tue)
by jwb (guest, #15467)
[Link] (7 responses)
Posted Apr 12, 2005 19:44 UTC (Tue)
by hppnq (guest, #14462)
[Link] (5 responses)
Judging from my own experience I'd say that most sysadmins -- and, more importantly, management -- I have met haven't got the faintest clue about security anyway. I have seen horrific stuff you wouldn't believe, at big, big companies.
But then, I am in a bad mood today, having had to deal with this very problem all day.
Posted Apr 14, 2005 8:44 UTC (Thu)
by shane (subscriber, #3335)
[Link] (4 responses)
While this makes some sense from an engineering standpoint, I still cringe
when I see people typing "sync; sync".
Posted Apr 14, 2005 14:59 UTC (Thu)
by utidjian (guest, #444)
[Link] (3 responses)
Posted Apr 14, 2005 16:29 UTC (Thu)
by jwb (guest, #15467)
[Link] (2 responses)
Posted Apr 14, 2005 19:25 UTC (Thu)
by roelofs (guest, #2599)
[Link] (1 responses)
Tsk, newbies. ( ;-) )
Kernel-page article from three years ago:
This patch, of course, changes a fundamental assumption made by many who
use sync - that, upon completion, all data has been written to
disk. In fact, according to the
Single Unix Standard, this behavior is permissible: "The writing,
although scheduled, is not necessarily complete upon return from
sync()" It is, regardless, not the behavior that many expect.
There's no real consensus on what the proper behavior is. Unless Linus
takes the patch, the current sync behavior will remain.
So I'm thinking the second and maybe even third sync has some value. :-)
(And I'm pretty sure I remember a followup, as well, in which further details were presented--for example, that there were already cases in which the "expected behavior" was not actually the real behavior--but I don't remember for sure. Maybe it's just my fevered imagination again...)
Greg
Posted Apr 14, 2005 21:37 UTC (Thu)
by Zartan (guest, #23725)
[Link]
Posted Apr 18, 2005 18:20 UTC (Mon)
by Max.Hyre (subscriber, #1054)
[Link]
If I took anything away from my statistics courses, it's that the
absolutely hardest part to get right is sampling.
(Though figuring the right statistical analysis to use is close
behind.)
It's hard because you have to
So, just as you understand ``surf over here and answer some
questions'', or ``dial in to tell whether you prefer Princess Di or
Camilla'' polls to be nothing more than a form of entertainment, any poll
like BZ Research's has to be taken with many grains of salt.
The whole thing is dubious without clear description of all the
above criteria, analyzed by a knowledgeable, disinterested observer.
Look at research reports in Science or Nature to see the
sort of detail I mean. I'd bet a candy bar that the
``2.5 percentage points'' is nothing more than the number they
looked up in a table for a sample size of 6k.
And now, for some entirely-different bias, look no further than
the polls on the nightly news. They tend to be self-fulfilling prophecies:
``Well, if everyone feels like
that, why should I bother to vote / call my Senator / complain to the
Planning & zoning board?'' ``Hmmm, if no one's using Linux, I
should hold off.''
I hope I've loosened your faith in polls somewhat. :-/
A developer survey reflects popular opinion versus actual experience. How about a survey of sysadmins? That would be more interesting. Given that every kernel released prior to April 4, 2005 has an exploitable SMP race, I think you'll hear a slightly different opinions. Said opinion may be of the form "Everything is crap!"Linux wins on security in survey of 6,000+ software developers
Strange reasoning, that would apply to any exploit ever published.
Linux wins on security in survey of 6,000+ software developers
Most sysadmins and developers I know are superstitious. By this I mean
that they don't want to understand the reason why things are, but rather
just get them to work.
Clueful?
I am an adittedly superstitious sysadmin; and I want to know why you would cringe when you see someone type sync; sync ? Would it make you cringe less if they typed sync&& sync ? If so, why?
Clueful?
-DU-...etc...
I thought his point was, the second sync has no value. At least I hope that's his point.Clueful?
I thought his point was, the second sync has no value. At least I hope that's his point.
Clueful?
How synchronous should sync be? Andrew Morton has posted a patch fixing a perceived problem with the
sync() system call: as long as processes keep generating data,
sync() will keep flushing it to disk. The result is that a
sync command can take a long time to execute - as in several
minutes. Andrew's patch changes sync() to just ensure that all
data to be written when the call is made gets out - buffers generated
thereafter may not be written immediately.
More to the point, it's better to do:
Clueful?
typed in by hand, than either of the above. Why? Because the second or two that it takes to type the second sync helps compensate for the "scheduled but not necessarily written" aspect of POSIX sync(). Works on all *nixes.
# sync
# sync
Representative samples: the Holy Grail