Comparing security processes
Microsoft’s rapid response to security vulnerabilities helps minimize potential damage to the enterprise. Customers receive notification of vulnerabilities and security patches automatically. Enterprises can minimize their risks by selecting products that offer integrated security features that have been tested under real-world conditions. Microsoft is a known, established vendor with processes in place to respond to and resolve problems that might arise with its products. Customers know who to call when a problem occurs, and they can count on Microsoft to address the problem promptly and systematically. The market research firm, Aberdeen Group, commends Microsoft for having “a good track record” of resolving security problems.
Microsoft offers an abundance of resources to help businesses develop secure IT environments and applications. In contrast, the community model may introduce a delay in receiving security patches.
With Open Source software, it is not clear to whom businesses can specifically go for help when security vulnerability is identified. The idea of getting help from a global community of volunteers is appealing, but the customer assumes primary responsibility for making sure the code is secure and for finding patches and modifying them when the patches are for different versions of the source code. Another option is for customers to enter into a services agreement with a System Integrator to provide new features and support the Open Source code, however this adds cost and complexity to the initial project.
Efforts to educate customers about processes and best practices, coupled with solid security response programs, have helped reduce the “attack surface” for Windows. CERT’s information on scanning and probing activity on known vulnerabilities shows that there were thirteen different categories of scanning on Linux systems versus only four against Windows (source: http://www.cert.org/current/scanning.html ).
|