Alright... I gotta chime in.
There's two parts two this question in this context:
functionality and security.
Functionality questions and issues are far, far easier
to answer. The closest that functionality questions come
to speaking to security are issues surrounding which platform
admins know best.
Absolutely, use the platform you can secure best.
Now for security.. People want proof of holes and problems
and not conjecture and suspicion.
Well sorry, you can't have it.
You can't prove that a product of any meaningful size and functionality
is secure. There are branches of computer science that deal with
provable algorithms, but at best they can prove teeny, tiny programs
with lots and lots of qualifications, are correct. You can't get enough
qualifying context together for security apps to even start on this type of
proof. It's being generous to say that trying to "prove" NT or your
favorite *nix is "computationally infeasable."
That leaves little to judge security on. You have suspicion, track
record, vendor response and attitude, source code availability,
speed of patch availability, development methodology, and
how hard it's being "evaluated."
Those are all you have, right up to the point when specific holes
are discovered.
-Suspicion usually comes from the other judging factors we have,
so it's a derivitive factor, and most folks will just want to throw it
out.
-Track record has to do with how many holes they've had in
the past, and how bad they were.
-Vendor response has to do with what the vendor of the product
does when faced with a hole.
-Source code availability doesn't automatically grant security
in any way, but allows a much greater degree of review
(if anyone takes them up on it) and speaks to the vendor's
willingness to be open about problems. It also tends to
speed patches.
-Patch speed deals with how fast a patch gets put out when
a problem is discovered. Related to Track record and
attitude.
-Development methodology is really important. This goes
directly to how secure a product might be. This determines
wether you'll be dealing with a company that takes security seriously
and just occasionally screws up, or whether you're dealing with a
company who thinks it's your job to do a security review of their
product, and will only fix bugs as you find them.
-How it's being evaluated... really, how hard are the hackers
(ANY definition of hackers) are hitting it. To go ahead and take
a small jab at NT here.. MS and it's fans used to claim "See,
NT is more secure, it's never been hacked." This was,
of course, a false sense, since it hadn't been TRIED yet.
This note is already long enough without me filling in my
answers for all the OSes. Short answer, if you favor security,
go get OpenBSD, look at trusted Solaris, look at the Linux
code review project. Turns out that development methodology
has a much higher weight than any of the other factors.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
