With costs of software flaws exacting a huge toll on organizations -- NIST pegs it at nearly $60 billion annually in the U.S. alone -- many security experts advocate the use of open-source applications, which they say have fewer undiscovered, unpatched flaws.
When software's source code is openly available to the public, as is that of the Linux operating system, it lends itself more readily to modification. The Linux operating system allows third-party developers to adapt code to meet their needs, leaving it extended and modified in an improved state for subsequent users. Advocates of open source software point out that since underlying code is freely open for inspection, more eyes examine it, which results in more errors being uncovered and promptly patched. From a security standpoint, this makes for a broader redistribution of the software and provides the added benefit of having numerous patches and repairs occurring from a variety of sources. The software evolves at a faster rate than is seen in proprietary software.
Linux isn't only appealing because it garners review from a large audience, but that it's free may be even more attractive. According to Marcia Wilson, CEO of Wilson Secure in Pleasanton, Calif., "There is great flexibility when using open source software; and it's free! However, the most attractive part about it is that the open source community is huge, global and responsive. If you have a problem with code, you can quickly get a fix, or answers, or assistance through these communities. Large private software companies can't move that fast and often can't provide a fix until the next release of the software."
The debate concerning the security of Linux is tempered by the fact that "if the security provided by a particular installation is not sufficient it can be modified to ensure the highest levels of protection," said Dave Wreski, CEO of Guardian Digital Inc. in Allendale, NJ. Even the U.S. government uses Linux and other open source software, with over 250 deployments in use by the Department of Defense, according to the Mitre Group. "The United States government, with special regard to the Department of Defense, puts security and confidentiality to the highest standard. Any code chosen for critical government or military systems must undergo countless hours of analysis and vulnerability assessment," he said.
If that's not enough to convince skeptics, Wreski added, "Linux truly focuses on the security of the system and its capabilities and strengths continue to improve, surpassing those of proprietary vendors like Microsoft."
While Linux is considered most secure by many in IT security, Microsoft hasn't yet thrown in the towel. Said Tony Bradley, a security guru for a Fortune 100 computer services firm, "In my opinion most variations of Linux are more secure by default. However, Microsoft is working hard to fix some of [its] issues by turning security features on by default and turning off some of the vulnerability-prone services by default in newer versions and with the latest service pack updates. Linux generally installs with a number of third-party open source programs though which have their own issues and vulnerabilities."
The bottom line: Whether opting for open or closed source software, any and all operating systems will still require administrators to monitor for security flaws, possible viral infections, and the possibility of breaches through firewalls.