Survey Results Show Few Linux Security Problems

Evans Data today released survey results showing that 90 percent of Linux systems have never been infected by a virus, and nearly 80 percent have never been hacked.

The survey of 500 Linux developers worldwide was conducted earlier this month. The respondents' answers were compared to another survey done by Evans in the spring, the North American Development Survey. In that comparison, 3 in 5 non-Linux developers reported a security breach and 32 percent experienced three or more breaches.

Evans' Linux analyst Nicholas Petreley told LinuxInsider that the results showed the most common mechanism by which a Linux machine can be compromised is by users inadequately configuring security settings. Other compromises came from vulnerability in Internet service and Web server flaws.

"Ironically, the other flaws that crackers use to compromise Linux servers are flaws in applications which run on competing operating systems, so those vulnerabilities are not specific to Linux," Petreley said.

Additional Findings

The recent survey produced a number of other findings related to Linux. It noted that less than 7 percent of survey respondents said that their systems were hacked three or more times.

Of the 22 percent that had been hacked at least once, 23 percent of the intrusions were by internal users with valid login IDs.

Besides that security issue, Evans also asked general Linux development issues in the survey and found that developer migration to the 2.6 kernel has increased significantly in six months. It has grown by more than 80 percent, with only 12 percent of respondents expecting to take longer than a year to make the move.

In terms of the contentious legal battles being waged by The SCO Group, most developers did not think the outcome would affect their decisions. Seventy-six percent noted that the lawsuits will probably not, or absolutely not, affect their company's adoption of Linux. This number is 6 percent greater than when the survey was last done, six months ago.

Security Measures

Although Evans asked a variety of questions, it is the security angle that the market-intelligence firm is highlighting most.

Petreley noted that the results are not surprising that Linux systems are not hacked to the same degree as Windows-based machines.

"The reasons for the greater inherent security of the Linux OS are simple," he stated. "[M]ore eyes on the code means that less slips by, and the OS is naturally going to be better secured."

Yankee Group analyst Laura DiDio noted that security is one major reason why many companies have been considering adoption of Linux. However, it is not always the OS's reputation for not being hacked that inspires the move.

"People are just tired of doing all those endless Windows security patches," she told LinuxInsider. "If you've got a Windows-based architecture, you pretty much have to have someone dedicated to doing security fulltime, depending on the size of the company."

Another important finding, Petreley said, was the number of Linux developers that have never been infected by a virus. The 90 percent figure has been fairly consistent over the last three years. "That alone is amazing," Petreley said.

Fun with Statistics

Other research companies, such as Denmark-based Acunia, have released surveys that report very different results found by those at Evans. Some of these reports note that Windows and Linux are equally secure. Petreley called these findings "erroneous."

Petreley noted that the problem with many of these other surveys is the lack of questions about what made the Linux systems insecure, and how a vulnerability was exploited.

"Acunia has graphs which are incredibly misleading," he said. "They show a certain number of security problems, but they don't cross-tabulate to tell you what level of access was needed to gain control of a system."

By cross-tabulating, the reports might have shown that internal access was necessary, as opposed to access from outside the building. Petreley is hopeful that more in-depth research will help to clarify the security power of Linux.

He said, "There's just been inadequate research up to this point. People haven't looked at all of the factors that go into security."