[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45FF3349.6070502@qut.edu.au>
Date: Tue, 20 Mar 2007 11:05:13 +1000
From: Paul Stepowski <p.stepowski@....edu.au>
To: Mark Litchfield <Mark@...software.com>
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
full-disclosure@...ts.netsys.com
Subject: Re: Your Opinion
Mark Litchfield wrote:
> I have heard the comment "It's a huge conflict of interest" for one
> company to provide both an operating platform and a security platform"
> made by John Thompson (CEO Symantec) many times from many different
> people. See article below.
>
> http://www2.csoonline.com/blog_view.html?CID=32554
To be fair to John Thompson of Symantec, he didn't mention Microsoft by name.
So I'm not going to go there. Others (Jeremy Kirk) already have. I think John
Thompson has a point and, in theory, this issue applies to other vendors. If a
vendor offers both an operating system and a security platform for that
operation system, there is a conflict of interest.
Vendors are not being responsible if they don't take reasonable measures to
provide security built-in to the operating system. On the other hand, vendors
have every right to provide a security platform that offers enhanced security.
If I have a web server serving public documentation, I might not want much more
than an operating system with a firewall, that is patched regularly and has been
hardened in accordance with best practice. On the other hand, for a bastion
host on my network, I might want all of the above plus more advanced security
features such as mandatory access control, intrusion detection capabilities,
enhanced logging etc.
The conflict of interest lies in how we define "reasonable measures". This is a
gray area. How much security does a vendor have to provide by default? If a
vendor wants to sell licenses for its security platform, there has to be some
added value to the customer. The temptation is for the vendor to remove
security features from the base operating system and only make them available in
the security platform. The security of the base operating system suffers so the
vendor can sell more licenses for the security platform.
The vendor must be responsible in deciding what security features should be
considered optional. I won't attempt to define a complete subset of these
features in this email, but you'd hope that no vendor would consider security
updates as an optional extra.
Thanks,
Paul
Powered by blists - more mailing lists