[ISN] MS vs. open source: Security's the same

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 23:02:32 PST

  • Next message: InfoSec News: "[ISN] Security Excuses are on the Rocks"

    By Wayne Rash
    March 25, 2002 
    I already know that you're going to hate what I have to say. You'll no 
    doubt send me strongly worded e-mails. Fine. We have a tough bunch 
    here at ZDNet, and we can take it. 
    When you read about the security problems of some open source 
    applications and operating systems, some of you have nodded 
    approvingly, and muttered words that sound a lot like "I told you so." 
    Let's face it, all the smugness about the superiority of open source 
    code has been pretty hard to take. 
    Of course, the open source people claim that such charges simply 
    aren't true. They say open source products are better because more 
    people work on them and then distribute the patches--meaning that 
    security holes get fixed right away. Microsoft, as the leading vendor 
    of proprietary software, claims the same thing. 
    The fact is, both sides have their share of problems--but neither side 
    has the edge when it comes to fixing security holes. You're just as 
    likely to encounter a security problem with open source code as you 
    are with Microsoft Windows, and the fix is just as likely to appear 
    quickly and be done properly. 
    Normally, this is the point where Microsoft gets trashed for its 
    seemingly endless list of security patches for Windows. That's not 
    going to happen here. Yes, Microsoft does have a long list of security 
    issues for which it has issued patches. But the fact that those 
    patches exist means somebody in Microsoft is making sure those fixes 
    are made. 
    According to Steve Lipner, Microsoft's Director of Security Assurance, 
    the company's Security Response Team operates seven days a week and 
    has been known to issue patches to Windows security within hours of 
    finding out about a problem. This sounds pretty responsive to me, 
    certainly as responsive as the open-source solution to fixes--hoping 
    someone steps up to the plate, creates a fix, and makes it available. 
    The problems with security are not greater or fewer with Microsoft's 
    code versus open source. They're just different. Want another opinion? 
    In the FBI's ongoing list of the top 20 security problems, the number 
    of Windows and open-source problems are about equal. The bottom line 
    is that you should choose your OS or Web server software by how well 
    it meets your needs--because these days, security really isn't the 
    differentiating factor. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 01:46:16 PST