Linux vendors claim Forrester Report favored Microsoft
Say Forrester Research showed bias in study of responses to security flaws
Computerworld - Four major Linux distributors have sharply criticized a recent report in which Forrester Research Inc. found that Microsoft Corp. outperformed them in responding to and fixing security flaws.
In a joint letter released April 6, Linux distributors Debian, MandrakeSoft Inc., Red Hat Inc. and SUSE Linux AG questioned the validity of Forrester's conclusions and claimed that the report had "extremely limited real-world value" for users.
"It's bogus in its current form," said Joey Schulze, a member of Debian's security team.
Laura Koetzle, the author of the Forrester report, defended her company's analysis of the data. All vendors studied in the report were measured equally using publicly available vulnerability data and widely accepted vulnerability rating measures from the National Institute of Standards and Technology (NIST), she said.
Cambridge, Mass.-based Forrester's report "Is Linux More Secure than Windows?" was released on March 22. It looks at how Microsoft and the four Linux vendors responded to reports of security flaws from June 1, 2002, to May 31, 2003. Microsoft ranks first among the vendors for its "responsiveness" and its "thoroughness" in dealing with reported security vulnerabilities.
On average, Microsoft took 25 days between public disclosure and the release of a fix, and it was the only company to fix all vulnerabilities, the report stated. However, Microsoft also had the highest percentage of serious flaws.
In contrast, Moreno Valley, Calif.-based MandrakeSoft took 82 days on average to issue fixes for its Linux distribution, the Forrester report said. SUSE took 74 days, and Red Hat and Debian each took an average of 57 days.
The Linux vendors ranked lower than Microsoft in terms of the percentage of reported flaws they fixed. Red Hat, which fixed all but one flaw, was closest, while Debian ranked last, fixing 275 out of 286 flaws.
While the data that the analysis is based on is accurate, the conclusions are not, said Vincent Danen, security update manager at MandrakeSoft. By measuring only the time elapsed between public knowledge of a security flaw and the availability of a vendor's fix, the study failed to make a distinction between critical flaws and the not-so-severe ones, the jointly signed letter said.
Linux vendors typically treat flaws on a case-by-case basis, with high-risk flaws getting a higher priority than low-risk ones, Danen said. The response to a flaw is based on risk assessments made by each distributor and may not always coincide with the assessment made by a third party such as NIST, he said.
"Our users will know that for critical flaws, we can respond within hours," SUSE Linux said in a statement.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts