Which is More Secure: Windows or Linux?

Posted by Joe Basirico on July 29, 2011 at 11:14 AM
Find me on:

Windows v LinuxSomebody on LinkedIn asked the above question to a group I'm part of. I decided to answer it thinking "Oh, I can chime in with a quick little answer", but the more I wrote the more complex the answer became.

Here is my response:

I think the question is far more complex right now actually. For example, what constitutes "Linux" or "Windows"? If we're talking only about the kernel, then they're about the same (both extremely secure). They've certainly made different design decisions, but at the end of the day kernel exploits for either OS are extremely rare.

If you're talking about how the core OS protects its users from malware and other attacks an argument could be made for the forced low privileged user mode of Linux is more secure. However there are huge advancements on both sides to reduce the risk of malicious code executing without the user's knowledge ASLR, DEP, NX bits, and stack canaries all exist to reduce this risk, and are included in Linux, Windows, Mac OSX and others. So I'd say it's a wash there too.

If we want to talk about the applications that ship with the OS we might be getting closer to an answer, but there is still a lot of security and process in place.

Where things really start to diverge is user base and the complexity and security of the applications those users install on their machines.

OS security is largely a "solved" issue, the amount of risk you inherit from your OS pales in comparison to the amount of risk you inherit from the applications you install and your behavior on your computer. As someone who breaks software daily I can say we look first at the applications and the security controls in that application (input validation, logic assumptions, authentication, authorization, SQL injection, Buffer Overflows, Format String Vulnerabilities, etc.)

If we concede it's the applications that are going to give you the risk, then which OS provides the best protections for developers so they can make the best decisions in security? There are great resources for both, but I would lean toward Microsoft being the bigger driving factor in security for software developers today. They spend so much effort surfacing information to help developers and testers make the right decisions it can be almost overwhelming, but the information is there and from a trusted source.

That's quite a longer answer than what I was expecting to write. I think this question is far more complex than can be answered quickly. I'd love to do a complete study to compare the overall security of these systems (including OSX, and maybe some mobile platforms as well).

My feeling is that the biggest wins for security should be Application Focused, not OS focused. Use the OS, the programming language and the technology that you understand, then learn about security and build a secure system from the ground up. That's how we will make big leaps toward a more secure system.

Topics: application security

Joe Basirico

Written by Joe Basirico