Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Well, the first half of 2006 is behind us and I've completed an initial vulnerability comparison between Windows Server 2003 (WS2003) and the two enterprise server versions of Red Hat that have shipped since WS2003 became available - Red Hat Enterprise Linux 3 and 4 (Advanced Server). I'm going to start with the basic data and then udpate this blog entry as clarification or further analysis is necessary.
Whether you look at the all up total vulnerabilities, look at high severity vulnerabilities, or look at the weighted Workload Vulnerability Index, it is hard to argue against the fact that Red Hat 3 server admins required less vuln work than Red Hat 4, and Windows Server 2003 required less than either.
Read this FAQ if you have questions about the analysis. If you still have questions, ask away and I'll update as needed.
First, let's start with the basic vulnerability counts. I've charted the totals for the six month period in chart 1, but will also lay out various details.
The breakdown of totals data is as follows:
I also calculated days-of-risk by severity to see if the higher severity issues were given priority and generally they were, except in the case of RHEL4, where low severity issues faired better than medium:
So, if anybody wanted to do a "red hot candy" demo for the first six months of the year, the differences would be pretty significantly in Windows favor over Red Hat servers, either 3 or 4. However, as Mr. Cox likes to point out, that's not the whole story as lots of low severity issues are not equal to lots of high severity issues.
With that in mind, I also calculated and charted a monthly Workload Vulnerability Index as defined by NIST and similar to that introduced by Mark Cox in Red Hat RHEL4 Risk Report. I did use the NIST ratings rather than vendor ratings in order to use a more objective, common source of rating. Read the FAQ for more info on why.
Here is the WVI, a more normalized comparison of the severity-rated issues affecting all three platforms over the past 6 months:
Stay tuned for more soon, including a similar posting with data and analysis of Windows XP SP2, Red Hat Desktop 3 and Red Hat Desktop 4 and some discussion of the role-based comparisons and all-products comparisons. UPDATE: You may want to also read Apples, Oranges and Vulnerability Metrics for a discussion of issues related to comparing OSes having different sets of applications.
Regards ~ Jeff