"Which operating system is most secure?" is a popular IT religious debate. Symantec released its Internet Security Threat Report for July – December 2006. Around page 40, they discuss the number of vulnerabilities from each operating system vendor and the time it took to patch the vulnerabilities. One way to look at these numbers is to see who patches their systems first as considered in this article on internetnews.com. Considering only that metric, Microsoft comes out the winner with their average 21 days to patch. Hidden behind this number though is the fact that Microsoft advocates for responsible disclosure, which means that security researchers in theory report any new vulnerabilities to Microsoft in secret to give Microsoft an edge over malicious hackers. Open source projects often reveal their vulnerabilities publicly. It’s unclear to me precisely how Symantec determined the patch disclosure date and if responsible disclosure would have an impact that gives Microsoft some extra time.

We could measure differently and look only at the number of high severity vulnerabilities; after all, the rest aren’t as critical. Then we get a different ranking:

  1. Mac OS X — 1
  2. Sun Solaris — 1
  3. Red Hat — 2
  4. HP-UX — 2
  5. Microsoft — 12

Or we could ask people who are responsible for securing servers their opinion on what they think is the most secure operating system, as Forrester has done for soon-to-be-published research. Those results say:

  1. Mainframe
  2. Unix
  3. Apple OS X
  4. Linux
  5. Microsoft Windows

So which one is right? I say that none of these metrics adequately answers the question. There are too many variables — user opinion suffers from historical bias, patch criticality is ranked by vendors with inconsistent standards, and the number of patches depends on how the vendor decides to group vulnerabilities. At the end of the day, the question people want answered is "How much money and work am I going to have to use to keep these &$^%ing machines secure?" Because every operating system is going to need patches and updates, no programmer working on such a huge project is perfect. How much effort will it take to keep the system up-to-date? Most enterprises right now aren’t sitting back on their heels waiting for the vendors to provide patches for an already-announced vulnerability — they’re simply having enough trouble keeping up with last month’s patches. So I think asking the question of which operating system is more secure is the wrong question — they all have vulnerabilities waiting to be discovered. The question for now is, what does it take to keep the machines up-to-date on patches? Once people can keep up with the vendors, then maybe how fast they produce the patches will matter.