Open source software, usually with a strong Unix flavor, has proven to be a viable alternative to the world of the “install wizard”. It is often more compact and efficient and uses much fewer resources to provide equal or superior functionality to the end-user. From a purest high security standpoint, Microsoft Windows has still to prove that it is the equal of a well-tuned Unix system. Linux, a popular open source version of Unix has the potential to be very secure, but suffers from “too many fingers in the pie” unless it is stripped to the barer essentials to allow it to be more easily secured.

For the reader to draw their own unbiased conclusions about which operating system and typically associated web server has a better track record, I will refer them to the US National Institute of Standards and Technology (NIST) vulnerability tracking web site, icat.nist.gov, to make their own comparisons of publicly reported security alert bulletins to see which operating systems and web servers have the best track record in the area of fewest serious security bugs and other vulnerabilities. No system has a clean record, but there is a significant difference between the recent history (last 10 years) of open source and proprietary (“closed source”) software.


From a Chief Information Officer/Chief Technology Officer perspective, despite the clear security benefits, formal support for open source software is only available through informal channels in Internet news and discussion groups. However, formal support for closed source, commercial software, especially in light of the increased use of off-shore support that has not approached that of “good ol’ home cooking”, does not always provide a superior benefit. For example, I recently had an experience with a major handheld computer vendor’s off-shore support which involved a problem with the handheld not recognizing an inserted SDIO card. I reported the problem to the vendor via email and grew continually annoyed after three email exchanges. Each reply from the customer support was from a different technician who never responded directly to my questions and comments. Instead their responses read like a text book and did not directly address my problem.

What do you think about the full disclosure of vulnerabilities?