E-Commerce EDI Industry Perspectives
Growth in EDI OutsourcingWindows vs. Open Source
Outsourcing vs. Offshoring
Outsourcing isn't Offshoring
Windows Vs. Open Source
Thoughts from Chris Burns:Think Open Source and Security are synonymous? Think again.
As a Microsoft developer (C#) I have been obliged to concede several points to my colleagues that prefer the Open Source platforms (mainly Linux) and languages (Java, PHP, and PERL). One of these points that I confess readily is that the applications I create will only function on machines running a Windows OS - until MONO matures anyway. Since I have yet to encounter anyone who uses Linux on the desktop in a production capacity I have no problem conceding that point. However, a concession that has always chapped my backside was admitting that some Open Source platforms were more secure then their Microsoft counterparts. The only solace available to me was the theory that some of these open source technologies where simply not in use on a scale comparable to Microsoft, thus the opportunities for malicious code to target these platforms are greatly diminished.
For the life of me I cannot remember the individual who pointed that theory out to me. This is very unfortunate because I would really like to see their reaction to the ever widening stream of developments exposing the cracks in the armor of some Open Source platforms. Here's a number for you - CERT (US Computer Emergency Readiness Team) reported in their annual year end security index that Windows experienced 812 OS vulnerabilities for the period of time between January and December of 2005. Ouch, that's more then two per day - including weekends. But wait, what's this? For that same period of time there were 2,328 vulnerabilities discovered in Linux and UNIX. Let me say that again for effect, 2,328. That is more then 6 vulnerabilities per day and nearly 4 times more then Windows. As staggering as that number is, I believe it is not the worst part of the problem. Of those Linux and UNIX vulnerabilities only 500 were found across multiple vendors, leaving 1,832 issues to individual vendors. This begs several questions at least; where will the end user go for updates? Will all flavors of Linux need their own update? Will updates be applicable to all the different kernels of the same Linux variation? I don't know the answers to these questions, nor am I even interested in finding out. I am interested to know however, if the latest worm (MARE.D) targeting Linux is an isolated incident, or a sign of things to come.
Recent exploitations are not limited to Linux and UNIX. Even Apple's iron clad OS X (An unholy alliance of UNIX and Java) has experienced breaches of late. Flaws in the Safari web browser allow hackers to install and execute several variations of malicious code on the operating system itself. Ironically the creators of these Apple hacks were thoughtful enough to give them Macish names - Leap and Ingtana.
Not wanting to miss out on the publicity, Java, the development language I love to dislike the most has earned the dubious honor of falling victim to one of the first Mobile Phone viruses. To make matters worse, the RedBrowser hack is not limited to cell phones alone, but any application that is created with J2ME - Java's flavor for creating Mobile applications.
Other vulnerabilities and faux pas have occurred recently that have received little coverage, Google, the golden child of the Web and Open Source champion announced that their desktop search application had a severe flaw that returned the contents of local files along with search results.
Now contrary to what you may think at this point, this piece was not meant to say proprietary (Microsoft) code is better then Open Source (Linux). I just want the playing field to be level when comparisons are made. The fact that Linux is gaining in popularity and usage is undisputable, and although I am anxiously waiting for the day that the Linux backlash officially begins, meaning the day that developers and IT administrators everywhere realize that Linux will not fix their problems, nor will it reduce their costs. (But I will save that topic for another entry). To employ an old cliche, I want to compare apples to apples. I would love to see the number of vulnerabilities exposed if and when Linux reaches even a high single digit share in the Desktop PC market. The last figures I saw puts the market share at around 97%, 1-2%, .25% for Windows, Mac and Linux respectively. We'll have to wait and see if UNIX even survives the Windows/Linux assault on its market share to make any comparisons and even then, we can only compare the Windows Server Operating Systems as true UNIX does not offer a desktop version.
An application as fluid, dynamic and complex as an OS will probably always have a new vulnerability to exploit. Whether it is a Desktop or Server OS is irrelevant what is absolutely critical is that end users have a well established, secure source for obtaining any and all required updates. Say what you will about Microsoft, but they have provided this very facility for years. I will do my due diligence while online and be mindful of what material I view and where I view it. It is well within my capacity to understand that no Operating System will ever protect me from myself, but if I had to choose one to use for the foreseeable future, I'll take 812 over 2,328 any day.
Thoughts from Bill Mayhew:
I don't personally fight in a Microsoft versus everybody else war, so I really do not have a strong opinion. The greatest share of vulnerabilities have been poorly written applications running on host operating systems and not the operating systems themselves. Microsoft has clearly been more seriously victimized by so-called zero day vulnerabilities: Sasser and Code Red for example. One could argue that peer review of the Linux kernel source files has prevented such vulnerabilities from being written into the code.
What I see as issues:
- Vetting of employees. There is an industry accepted certification standard for Microsoft .NET developers. A hiring manager can make informed candidate screening decisions in advance of conducting live interviews. Time required and expenses of ramping up staff to support a project are contained. It may be easier to forecast a staffing budget. Presumably the Microsoft curriculum trains programmers to be aware of and write security into applications from the outset.
- Quality of tools and availability of support. Visual Studio is has a significant licensing cost, but it provides a comprehensive platform for writing applications which is relatively easy to use. Fee based training is readily available for Visual Studio. Community supported development platforms are significantly less well documented and seldom have fee based classroom training available.
- Scalability and performance. Windows XP is a microkernel based architecture and is more advanced than the Linux 2.6 kernel. Windows has more potential than Linux 2.6 to fully utilize hardware resources. Fully exploiting hardware maximizes return on investment. Note: Windows is better compared against Solaris than Linux. Solaris has the ability to scale to systems running hundreds of processor chip cores. Solaris is more capable than Windows of competing against traditional mainframe environments. In a large environment, Solaris may win where lowering the costs of operation result in more savings than lowering the cost of software development.
- Rapid prototyping and low cost of entry. Linux distribution such as Red Hat ES.
- Long term project for small to mid size business. Windows Server 2003 with Visual Studio and MSDN subscription.
- Enterprise ERP or commerce application. Multi tier with Solaris/Oracle core and Windows Enterprise Server 2003 edge.
(Windows Vs. Open Source)
3 comment(s)
- Outsourcing isn't Offshoring
- Windows Vs. Open Source
- OUTSOURCING vs. OFFSHORING: What's the difference?...
© 1999-2006 EC/EDI Ltd. All Rights Reserved.