"Gartner's research indicates that all of the mainstream operating systems, in the personal and the mid-range server environments, are roughly similar in terms of the level of security assured by the OS in a default installation.  This includes Windows, Mac, and Linux.  Accordingly, it is not correct to assert that Linux is inherently more or less secure than any other mainstream operating system," said Walls {research director for Gartner’s Security}.

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company.  We deliver the technology-related insight necessary for our clients to make the right decisions, every day.  From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, we are the indispensable partner to 60,000 clients in 10,000 distinct organizations.  Through the resources of Gartner Research, Gartner Consulting and Gartner Events, we work with every client to research, analyze and interpret the business of IT within the context of their individual role.  Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,800 associates, including 1,200 research analysts and consultants in 75 countries.

I’ve expected that as soon as we get into any meaty and interesting discussions, my current place of employment (Microsoft) will come into play, combined by assertions that I must be biased.  It is fairly predictable, so I thought it might be interesting to just pre-empt it and open the question myself.

I’ve been a Director at Microsoft for a little over four years now, in the security group that works to drive security improvement across the company.  For that alone, some may condemn me, so let’s dig into it.

In the engineering program at Purdue University, we all used Unix accounts and to this day, my fingers remember the key “vi” editing commands.  My workstation and development platform for my first four years of work was a Sun workstation.  Working from home after that, I used Slackware Linux as my primary workstation for two years starting in 1994.  When we turned the TISFirewall Toolkit into the Gauntlet firewall, we did it on the BSD/OS.  ... Basically, I’ve used and done security analysis on most common operating systems over the past 20 years – even some uncommon and interesting proprietary ones by Unisys, Tandem and HP.  In fact, over 75% of my security career came before Microsoft.

How did I end up at Microsoft?  Let’s go back in time five years.  At that point, it was commonly accepted by most people that Microsoft had some security problems.  In contrast, most folks thought the Unix and Linux community (and vendors) historically had a better approach to security and would build on that.  Around that time, I got a call from a respected former colleague (Steve Lipner), who convinced me that Microsoft management was committed to improving security across the company and was taking real steps to do it.  I was skeptical, but ultimately convinced enough to join – where better to have real impact in computer security?

Still, I like to be practical about security.  Does your team have deep Unix skills and no experience on Windows?  If so, your risk will be better managed on some sort of Unix system, regardless of whether Microsoft security is better, worse or indifferent.

So, I’ve been around security a while and in the past four years I’ve personally participated in steps at Microsoft that, in my mind, are resulting in improved security for customers.  Is it perfect?  No.  Are the products much better than predecessors?  Certainly so.  Is security improvement happening on Linux and Unix?  Definitely.  Who is doing better?  Ah, that brings us back to the question doesn’t it – by what metric?

Am I biased?  I do not think so, but let’s just all keep assuming I am, because I don’t mind.  If I make comparisons, I’ll lay out my metrics.  I’ll lay out my assumptions.  I’ll describe the methodology.  Then, if you want to dispute the results, debate the assumptions, or critique the methodology, I’ll ask the same of you.  Regardless of the outcome, all sides will get presented, progress is made and that’s a win for interested readers.

P.S.:  It is ironic that Unix has it roots in academia, a community in which unsupported assertions are poorly tolerated.

Under these conditions of uncertainty, the only thing that is certain is the uncertainty itself.  In other words, it is no longer tenable (in my opinion) to assert that “Linux is more secure than Windows” with a high level of confidence.  A more arguable position, I believe, is the moderate assertion that the “assumed security superiority of Linux over Windows is questionable.”

Uncertainty ought to beget humility.

To be fair Pleo, this isn't really surprising and not unique to them.  Even quite serious and dedicated groups of people fall prey to reasoning errors like groupthink and confirmation bias, and that's without the kind of self-selection dynamics in communities like that around Linux (and there are several quite distinct communities - there is no one "the" Linux community).

Really, much of the "language wars" kind of thing that programmers tended to engage in is the same; people want to come up with post-facto "rational" justifications for decisions they have made for other reasons. That doesn't mean that they are necessarily wrong, or that their decisions are bad - emotion is, as I've said elsewhere, a useful part of our cognitive toolbox...

That's a little oversold, unless you were referring to the Stanford/MIT axis...