Posted on | October 23, 2009 | 13 comments
With the launch of Windows 7 on Thursday 22Oct2009 , Linux vendors, led by IBM, are touting the intrinsic security superiority of Linux vs. Windows. Vendor hype aside, the Windows 7 launch does raise two big questions:
- In what way is Windows 7 more secure than Vista or XP?
- Is Linux truly more secure than Windows?
Jacob West, Director of Security Research at application security firm Fortify Software, thoroughly answers these questions in this exclusive LastWatchdog guest blog post. Comments are encouraged.
By Jacob West
Director of Security Research, Fortify Software
Security Development LifecycleÃ‚Â (SDL)
- Microsoft has done pioneering work with their Security Development Lifecycle, which builds security in throughout their development lifecycle.
- Microsoft attributes significant reductions in mainline products-including Windows Vista, Internet Explorer, and SQL Server-direction to their application static analysis, runtime security testing, and other key aspects of the SDL .
Security on the Desktop
- One positive side effect of the target virus and malware authors have painted on Microsoft products is that most Windows users have an antivirus or anti-malware utility install.
- These tools aren’t silver bullets, but if the cyber villains out there decide to turn their crosshairs on non-Windows platforms users may find themselves in a rush to find solid solutions.
Virii and Malware
- Despite some valiant efforts, virii and malware plague the lives of Windows users who dare to use the Internet.
- From the end-user standpoint it’s hard to argue with the fact that Windows users are more impacted by malicious software than users of other operating systems, which is supported by the fact that Kaspersky Labs found that more than 99% of malware threats in the first half of 2008 targeted Windows platforms.
- One of the biggest advantages Linux has over Windows when it comes to security is its architecture.
- The inherently multi-user architecture of Linux systems promotes a segregated hierarchy of trust that is fundamentally more secure than the single-user design of Windows systems past.
- User Account Control (AUC) in Windows Vista, which means among other things that user programs run with restricted permissions and require the privileges of a super-user to perform sensitive actions, is a good step forward.
- The poor security architecture of past versions of Windows continue to haunt current users in the form lf legacy software that fails to install or even run, in many circumstances, without the elevated privileges that UAC seeks to enforce.
- Windows 7 takes a step backwards by relaxing the restrictions enforced by UAC to make installing and running legacy programs easier, but at the cost of security.
Many Eyes Theory
- The “many eyes” theory proposes that because anyone can access open source code, developers will find and fix more bugs than in traditional closed code bases.
- Projects like the Department of Homeland Security’s project to identify and remediate vulnerabilities in open source software and Fortify Software’s Fortify Open Review have demonstrated that community vulnerability identification efforts can effectively identify security bugs in open source.
- However, our research suggests that widely-used open source projects are woefully lacking when it comes to providing their users with access to security expertise, implementing secure development lifecycles, and leveraging static analysis to identify widespread security vulnerabilities.
- One of the biggest security disadvantages for Linux is that hasn’t benefited from the years of attacks that Windows platforms have weathered.
- Although their exploits are no fun for Windows users, the hordes of malware authors have served as de facto security auditors and have led to the remediation of piles of security bugs in Windows.
- If Linux gains widespread adoption, there’s no reason to think the crosshairs of malware authors might not increasingly follow. The question will then be whether the eyes of the many developers that have contributed to Linux will stand the test of the highly motivated hackers poised to pull the trigger.