One of the hardest concepts to emphasize concerning Information Security is that people and processes are more critical to your overall security posture than products are. That is not to say that products are unimportant. Certainly, any deficiency in one of the three P’s will necessitate compensation from the other two P’s. But of all three, PRODUCT is the easiest to overcome with the right people (or properly trained people) and appropriate processes.
In a recent eWeek Research Central blog entry, it was noted a CIO Insight 2006 survey shows that not everyone sees inherent security as one of the virtues of Open Source software as compared to Windows-based software.
This doesn’t mean that they think that Open Source software is insecure, or that Windows-based software is automatically secure, but I think that there is a greater understanding of the following two things:
Thus, it is more reasonable to consider the relative security of applications to other, similar applications — regardless of platform, and it is very important to consider the strengths of the people who will be managing or using the applications in question, because they are the ultimate determining factor of the security of the application. There are far more security issues related to configuration errors than to outright code vulnerabilities, even though code vulnerabilities still get lots of press (primarily because they are often harder to mitigate and are guaranteed to affect a larger number of users if exploited).