It's official, boys and girls: it's easier to kick in a door when it's open. "A test has revealed that a Linux server is far less likely to be compromised. In fact, unpatched Red Hat and SuSE servers were not breached at all during a six-week trial, while the equivalent Windows systems were compromised within hours. However, patching does make a difference. Patched versions of Windows fared far better, remaining untouched throughout the test, as did the Red Hat and Suse deployments."
To read all comments associated with this story, please click here.
Member since:2006-01-04
"the author company only warranties the software if it's running on a server at a certain patch level"
I know, and it's a really bad issue!
I mean, for many reason is desiderable to have software using shared libraries: less object to load, less object to patch. It's efficient (you don't need to store and load different copy of something) and secure (when you patch a component anything using it is secured).
But to guarantee a very strictly defined environment a contained application is better and straighter than any other solution: you know what contains and you know that nothing will update it until you decide to update the application. No possible points of failure.
However, most application are not autocontained, so if a strict compliance to certain patch level is critical the machine should be placed in a very well protected zone (and don't be updated).
For that reason virtualization (or emulation) software like VMWare, Qemu etc may be difinitely a worthy choice to keep consolidated the hardware embedding more servers into a single, up to date and secured machine.
At this point, in many cases, the virtual servers may be configured to respect very specifical constrains that may even be not security-whise.
Member since:
2006-01-24
For several software packages that we run on our servers over here, the author company only warranties the software if it's running on a server at a certain patch level. We were two service packs behind continuously until just this year. It that, or run it without any kind of support. We chose to run without the service packs, and firewall the hell out of the servers.