As Steven's own story on the report shows, the main finding, counterintuitive to many, is that there is no obvious answer to the question of whether Windows or Linux is more secure than the other. It depends on your point of view. I came away from the report thinking, as I have always thought, that the main variable is the dedication of administrators and a given organization to security.

Forrester concludes that Microsoft is, on average, faster than Linux vendors at fixing known vulnerabilities, but that Windows has more of them than Linux. I could quibble with a lot of these numbers, but I think it's more important to recognize that they are all in the ballpark with each other.

A Linux advocate could have a lot of arguments with Forrester's positions. For instance, Forrester tracked the distribution of patches by Linux distributors, specifically Red Hat, Suse, MandrakeSoft and Debian. When a patch comes out for a Linux bug, it will often come out first in another venue, such as kernel.org or apache.org. At this point, the distributors have to do some testing before they issue their own advisories and code. It's often possible for Linux users to patch their systems faster than the Forrester research assumes.

There's some merit in this argument, but I wouldn't want to lean too hard on the numbers. One of the reasons companies pay money to companies like Red Hat is so that there will be one place where they can go to get software that has been tested and can be supported. I've noticed the same effect without thinking too hard about it; I subscribe to Symantec's DeepSight Alert Services and I've seen that for some time after a Linux threat is announced and patched, advisories and patches from the various distributions straggle in. There's more room for criticism here than I've considered in the past.

It's also true that Windows administrators have other security issues to deal with, such as anti-virus protection, that either aren't present or aren't as urgent on Linux. But even most Linux administrators have Windows desktop users to support, which to some degree makes this issue a wash. I'm also coming to the conclusion that the vast majority of the big Windows viruses can be stopped with good patching policies and intelligent perimeter filtering. More on that in another column later.

Microsoft takes a lot of guff in security circles for unpatched vulnerabilities, so it was a little surprising to see Forrester's conclusion that Microsoft had a far lower average "all days of risk," meaning days between the disclosure of a vulnerability and the availability of a patch. Some of the Forrester numbers for distribution days of risk, meaning days between the release of a patch by the component author and the release by a distributor, are downright appalling. Since this is a testing-bandwidth issue, I conclude that Microsoft has the advantage of gobs of money to throw at testing resources, primarily in its own labs.

But the real bottleneck has always proved to be the end of the food chain: namely, the administrator applying the patch. People are rightly nervous about applying patches to functioning, stable systems, even with the threat of some horrible security problem. It is possible to set up systems both to test patches and apply them expeditiously, but these require an investment that makes you feel like you're paying mob-protection money.

But you're going to pay one way or another. If you want your systems to be current and tested, either you shell out for systems that facilitate it, or you're going to be putting in tons of overtime at unpredictable points. It's OK—you're hourly, right? Ha, ha!

The alternative is that you'll find yourself in the same position as a lot of people were with Slammer last year, six-plus months after the release of a patch, when your systems all go down because you were "too busy" for all that time.

So whatever your operating system, the real issue is not the software company. The issue is how much time you have to deal with security, and how important it is to your company. Just run the numbers.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.