Is Linux the most secure OS?

Linux-based systems get a lot of press in IT trade publications. A lot of that press relates to its security characteristics. In fact, some claim “Linux is the most secure operating system (OS) of them all.” Such statements are, of course, unsupportable hyperbole; while many Linux distributions may outshine both MS Windows and Apple MacOS X by a significant margin, there’s evidence to suggest that most Linux distributions are not up to the standards of FreeBSD, for instance -- let alone OpenBSD, with possibly the best security record of any general-purpose operating system.

That’s even leaving out special-purpose OSes such as a number of a popular open source OS has definite security advantages over a popular closed source counterpart. Linux distributions are far from the only open source operating systems, though. Just for the sake of argument, insofar as Linux is emblematic of open source OSes, then, and that MS Windows is emblematic of closed source OSes, it may not be so unrealistic to say “Linux is the most secure OS of them all,” where “them all” consists of only two choices -- but the world is not that simple.

“Linux” in the abstract, however -- as a stand-in for the average Linux distribution -- is simply not the most secure OS available by a more comprehensive view of OSes. There are, in fact, some Linux distributions that have been created for research purposes that are intentionally as poorly secured as possible in default configuration. The range of default configuration security for Linux distributions spans a broad array of choices between “intentionally as airtight as a screen door” and Hardened Gentoo. Obviously, the average, or the norm, is somewhere between the two.

Furthermore, determining a “most secure” OS is not as straightforward as it might at first sound. One of the most common criteria used by people who don’t really understand security, and by those who do understand it but want to manipulate those who don’t with misdirection and massaged statistics, is vulnerability discovery rates. Those of us who know better are aware that there’s a lot more to security than counting vulnerabilities. Other, more credible criteria, may involve factors such as:

code quality auditing
default security configuration
patch quality and response time
privilege separation architecture

. . . and a whole lot more.

Even if we ignore any OS that won’t, for instance, run a popular browser (such as Firefox), a popular email client (such as Thunderbird), and a popular office suite (such as OpenOffice.org) in a some people say Ubuntu is the most secure Linux distribution. Of course, if that was true, and it was true that Linux was the most secure OS, that would make Ubuntu more secure than OpenVMS. Suffice to say I don’t buy that implication.

If you’re one of those people inclined to say “Linux is the most secure operating system of all,” you should probably rethink that. A much stronger case can be made for the security of some other OSes than the average Linux distribution. Even if it couldn’t, the variability of Linux distributions in general, and the differing criteria for the security of an OS that may come into play in comparisons, make such a statement quixotic at best.

The long version of the answer to the question “Is Linux the most secure OS?” is that it depends on what OSes you’re comparing, or whether you’re comparing specific OSes at all (instead of something like “open source vs. closed source”), and for what purposes you mean to evaluate the security of an operating system. If you make claims like that, someone who knows better will have an easy way to discredit your argument. Be more specific, not only in your arguments, but in your thinking -- because it’s too easy to form bad habits that may lead to making bad decisions about your own security, and because giving people inaccurate information about security like that can create real problems. If you mean that all else being equal popular open source OSes are more secure than popular closed source OSes, say so. If you mean that Ubuntu’s default configuration is more secure than MS Windows Vista’s, say so. Just saying “Linux is the most secure operating system of all,” on the other hand, is imprecise and inaccurate.

The short version of the answer, of course, is “No.”