Security Basics mailing list archives
RE: About Operating Systems security
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Thu, 29 May 2003 09:26:23 -0500
It may be more secure, then again it may not. It could just be that there are more used of certain proprietary OSes, so more people attempting to break in, finding more flaws. I think if you read the studies with an open mind (instead of the pre-conceived notion you seem to have), the data isn't all that clear. "Prove nobody has ever broken into a (properly configured) xyz". You can't prove a negative. So your proof, that open source is the highest security, is flawed. The 'many eyes' theory is only valid IF people actually do review the code. Given recent events, such as the sendmail flaw that's been there for many, many years (since 1988 IIRC), it's clearly NOT true, even for the most used programs. Once you get away from the top 10 or 20 or 100 applications and servers, into stuff written by one or two individuals and maintained by them for many years, with a few 100s or 1000s of (non-hostile) users, all bets are off. -----Burton -----Original Message----- From: yannick'san [mailto:yannicksan () free fr] Sent: Tuesday, May 27, 2003 1:55 PM To: security-basics () securityfocus com Subject: About Operating Systems security Hello everybody, First of all, I know the subject I'm going to talk about has largely been discussed everywhere but, up today, the main problem I have is that I can't really find the right Documentation I'm looking for and as much as I read reports, the task become harder to do. So, now, I ask for some helps to the list... Ok, here I start. Considering the following fonctionnalities installed and the same machine and nothing more : (a) a firewall (b) a web server (c) a database I have already prouved that the security level will be the highest if I use OpenSources for (a,b,c), and for reaching that point, not only the security process and procedures has already been written (Process and procedures for regularly auditing the fonctionnalities installed and also for dealing with a recovery plan, for exemple) but also the code and reviews that could be done or have been done. But as (a,b,c) is supported by an OS, the hardest problem I have is how to introduce a new one in a companie - Probably I should have started to think about that before...- How to prove that the OS choosen for only supporting the fonctionalities ennonced before, will be the most secured OS between all. How to prove that it in front of directors, managers and Engineers. Any pointers, news or documents are welcome and I'll keep everybody informed on the result :) -Yannick --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- About Operating Systems security yannick'san (May 28)
- RE: About Operating Systems security Burton M. Strauss III (May 29)
- A new concept for security management? Keenan Smith (May 30)
- <Possible follow-ups>
- Re: About Operating Systems security salgak (May 29)
- Re: About Operating Systems security yannick'san (May 29)
- Re: About Operating Systems security Chris Berry (May 29)
- Re: About Operating Systems security yannick'san (May 30)
- Re: About Operating Systems security Chris Berry (May 30)
- RE: About Operating Systems security Burton M. Strauss III (May 29)