One of the hardest concepts to emphasize concerning Information Security is that people and processes are more critical to your overall security posture than products are. That is not to say that products are unimportant. Certainly, any deficiency in one of the three P’s will necessitate compensation from the other two P’s. But of all three, a deficiency in PRODUCT is the easiest to overcome when sufficient strength exists in the other areas — having the right (and properly trained) people and having appropriate/effective processes.
A recent eWeek Research Central blog entry referred to a CIO Insight 2006 survey which shows that not everyone sees inherent security as one of the virtues of Open Source software as compared to Windows-based software.
This doesn’t mean that they think that Open Source software is insecure, or that Windows-based software is automatically secure, but I think that there is a greater understanding of the following two things:
- Software may provide better or worse support for security out of the box, but most software today provide sufficient configuration options that a user or administrator will be the final determiner of how secure the application is in practice.
- Many of today’s applications are cross-platform, and tend to have a similar level of security across all of the platforms upon which they reside, independent of the platform’s own security features. As an example, when Apple updates QuickTime or iTunes, they are very often updating it for BOTH Windows and the Mac. Regardless of what your viewpoint may be on the relative strengths of either platform (Windows vs Mac) from a security perspective, the application brings its own potential attack vector into the equation.
Thus, it is more reasonable to consider the relative security of applications to other, similar applications — regardless of platform upon which they reside. More than that, it is very important to consider the strengths of the people who will be managing or using the applications in question, because they are the ultimate determining factor of the security of the application in particular, and the environment on a whole. There are far more security issues related to configuration errors than to outright code vulnerabilities, even though code vulnerabilities still get lots of press (primarily because they are often harder to mitigate and are guaranteed to affect a larger number of users if exploited).
Finally, the number of vulnerabilities being found and exploited in applications is steadily increasing — relative to those being found and exploited for the underlying OSes — and the patching mechanisms in place for the application layer is not as uniform and mature as that available for the OSes themselves.