Questions about which operating system is more secure or the fastest make no sense

Published on 2022-03-18.

Reddit, fora, mailing lists, etc. are filled with questions and debates about whether operating system A is more secure than operating system B, or whether operating system A is faster than operating system B. Such questions and debates makes very little sense.

Operating system security and operating system performance are dependent upon so many different factors that you cannot compare one operating system to another in any general manner.

A homemade tiny and crappy operating system can easily be the most secure operating system in the world even if it has multiple exploitable security issues. If no one knows anything about the crappy operating system then no written exploits would exist, then in that very moment in time, the crappy operating system would be one of the most secure operating systems in the world. Until someone discovers a security vulnerability that can be exploited and until someone sits down and writes an exploit, no one can penetrate the crappy operating system.

The more popular an operating system is the more people will be motivated to finding exploitable security bugs. Sometimes a security bug can go exploited for years without anyone finding out.

How security is handled across the currently existing operating systems are very different.

Linux Torvalds is famous for not prioritizing security in the Linux kernel. That is why security is mostly something you have to "add on" or patch in Linux. That is the wrong approach to security. Security is not something you add-on, it has to be included at all stages of development and implementation, right from the beginning.

Secure software is not only software that doesn't do anything more than it is supposed to do, it is also software that undergoes rigorous and continues security audits, it is software that is developed with security in mind from the start, and it is software that is developed following specific principles in order to avoid common errors and security pitfalls, such as secure by default.

As an example of an operating system that is being developed with security as one of the primary goals is OpenBSD. OpenBSD stands apart from all the other popular operating systems in the world, including FreeBSD, DragonFly BSD, NetBSD and all the various Linux distributions.

Please note that Linux is not an operating system, it's just a kernel. A Linux distribution is a collection of software bundled together into a operating system. A Linux distribution consists of the Linux kernel, the GNU tool chain, typically a package manager (used to install third party software), and some other components (depending on usage). Each Linux distribution is a separate project. Some distributions are developed by companies, such as Clear Linux being developed by Intel. Other distributions are developed by volunteers, such as the Arch Linux distribution, or the Debian distribution. Some projects consist of thousands of contributors while others can be a single man project. Contrary to the many Linux distributions, the various BSD projects are complete operating systems (not components of different projects put together), each developed by a single organization.

Asking what operating system is the most secure, is the wrong question. It depends on your use case. What you need to ask instead is a specific question, like: For my specific use case, which operating system fulfills the requirements I have and at the same time provides me with the necessary solutions and security policies for me to keep it as secure as possible?

The most secure operating system in general might be OpenBSD, but if my use case is gaming on Steam with an NVIDIA graphics card, then that wouldn't work because OpenBSD doesn't have support for NVIDIA graphics cards. Hence, I need to first assess my use case and then determine how much security matters for that specific use case, and then determine what operating system is best suited to fulfill my needs.

When it comes to matters of performance, then almost every single performance benchmark you can find on the Internet is useless.

All operating systems has tuneable "knobs". If I want to understand how a specific operating system performs I have to know and understand which "knobs" to fiddle with and then put that specific operating system under a test that resembles - as close as possible - the real problems I am facing. Then I have to combine the results with other important factors and features such as security, adaptability, maintainability, timely updates, and everything else that is important to my project.

Why does all these things matter? Well, because there is a huge difference between e.g. exposing a specific operating system to the Internet versus exposing it to a private company intranet. There is also a huge difference between e.g. serving only static HTML files versus having a system that requires user login, mail service, and a database with sensitive information. Sometimes when performance matters a lot, security matters less.

It all depends on the specific use case.