If I search for the two words: OpenBSD and NetBSD on http://www.exploit-db.com/ then I get 17 hits regarding security bugs on OpenBSD, and 8 hits regarding security bugs on NetBSD.
So what are the differences exactly, and how do NetBSD and OpenBSD audit their code?
@rook : you should run a diff on the two kernels, after all those years (17 since the split) of divergence there isn't that much that is still common, however there is still cross-breeding between projects and a really good idea will spread all around.
OpenBSD got way more in the way of security architecture, as in compiler support to prevent buffer overflows, address randomization all around so nothing is predictable by an attacker, strict memory protection so writable memory is not executable, that kind of stuff making any bug that would have passed its developers prying eyes way harder if not impossible to exploit. It also makes running insecure software a bit safer.
OpenBSD was also first to introduce many advances, especially in the field of practical cryptography, e.g. stronger password hashing (bcrypt), swap encryption... Stuff that won't affect any exploit count (which doesn't mean much as a security metric, if one didn't find a bug maybe he merely didn't look hard enough) but does a lot for practical security. Also in the practical security part you could see the widespread privilege separation, widespread chrooting as things that should bad stuff happen, will make it a lot less bad...
Disclaimer: I used to be an OpenBSD committer, but it was a long time ago.
The first point I'd make is that the number of hits on a given vulnerability/exploit db is not a reliable indicator of overall security. This could largely be defined by other factors such as the focus of security researcher's efforts or disclosure policies.
Even a quick read over the project websites provides an indicator of the likely comparative security posture between the two. OpenBSD clearly states that one of its core aims "is to be NUMBER ONE in the industry for security". They provide a great deal of information and detail regarding their approach to accomplishing this task. I don't want to repeat @Bruno Rohée's answer but they have implemented a number of advanced security features, pioneered new (and admittedly controversial) versions of commonly used c functions (strlcpy and strlcat, which have since been adopted by NetBSD and FreeBSD), they provide a great deal of information pertaining to their rigorous source code auditing process and ship the operating system in what they call a ‘Secure by Default’ mode.
Although NetBSD is by no means lacking in security by any generalist comparison its core project goals do not make any explicit mention of security:
...while OpenBSD’s do:
Is not showing the reality! Is exactly like the bug difference between apache and nginx. apache have a lot more, but this is only because is much more used than nginx.
I don't know anything about NetBSD code audit, but OpenBSD is very serious about that. Read that (Audit Process): http://www.openbsd.org/security.html
If you need a trusted OS, then OpenBSD should be your choice.
Regards
