Me

No User

You must log in to access your account.

Open Source Security and Governance

Group Avatar Thumbnail

Open Source Security and Governance Avatar

Admins

Forum

Viewing post 1 to 4 (4 total posts)
  • Forum » Invitation to partake / discuss. (4 posts)
  • Richard Morrell said 11 months ago:

    This forum has been created to highlight the usage of OSS technologies and tools in the security space within local and UK Government. The greater percentage of security assurance testing in the accreditation space relies on using Open Source. However it doesn’t encroach very often into other areas such as IDS/IPS or firewalling due to the lack of CESG or formal guidelines for OSS adoption.

    I consult into government departments and have done for many years and provide security assurance / security engineering for specific key divisions of the defence sector where without OSS capital projects would not get to sign off, but the emergence of OSS formally seems to be a best kept secret.

    Seems a useful discussion to open up - if OSS is good enough to prove risk in decision making then what practical inroads are required (outside of CESG) to prove OSS in the daily assurance space for network integrity ?

  • Eddie Bleasdale said 11 months ago:

    A very good article on the relative security of MS Windows and Linux is at: http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/

    It is not too cynical to say that the IT security industry thrives on the lack of security of MS Windows. If we had a secure client operating system then the majority of those in the IT security industry would be redundant.

    The background to where we are is that the IBM PC was based on CP/M which was designed to run on the first 8 bit Intel 8080 processor. This was designed to be used as an embedded controller and did not have any hardware memory management. As a consequence CP/M was not able to differentiate between code and data – hence it was infected by viruses.

    IBM by selecting the Intel 8088 for its first PCs perpetrated the design flaw of CP/M. IBM, with OS2, tried to correct this mistake – but IBM’s marketing was no match to that of Bill Gates.

    Since then to ensure it does not loose its market share Microsoft has had to maintain backwards compatibility – hence we are stuck with an architecture that is insecure and can not be made secure.

    Hope that helps. Also have a look at what we are doing at: http://www.trustedcomputing.org.uk/

  • Richard Morrell said 11 months ago:

    Eddie thanks for that. You miss the apple but hit the tree.

    The issue isn’t MS vs OSS, the issue is decision making based on market positioning and the lack of credibility (not marketing spend) in the certification space. Has little or nothing to do with the relative security of Linux vs Windows at all.

    From a datacentre perspective if I look at the percentage of mission critical backend apps being hosted on clustered Linux servers vs the percentage of Linux vs otherOS’s (including Solaris and Windows) in the UK Public Sector for critical ops it’s very limited. In Govt, MoD and local government especially it’s not a cost issue it’s a operational norm decision that engenders a philosophy of non OSS usage.

    I know Red Hat are doing some good work (or trying to make a small dent), Novell don’t have a play at all anywhere and don’t seem to be remotely interested in the space, but it would be enormously useful especially in my space to bolster the fact that I can produce Linux luminaries till I am blue in the face, success stories based on my work and the deployment of OSS technologies but these aren’t matched by longterm mission critical usage in the European Govt Space (with the exception of Germany and France).

    The CP/M IBM PC bit has me entirely confused and has nothing to do with the question raised but thanks for the response.

  • Richard Morrell said 11 months ago:

    I checked Trusted Computing you don’t seem to be doing an awful lot there, I must touch base with Phil H haven’t spoken to him in a long while. I have about 450+ commercial resellers of my software (won’t post link as this is a vendor neutral community within UKGovOSS and I’d like to keep it this way).

    We need to make sure that always and everywhere we’re pushing standardisation. Waiting for EAL ToE’s to be developed (and paid for) is a fools errand and whilst a lot of decision makers will hold these in credence the bottom line of cost/peer review/safety and sanity often don’t stack up against the big boys being Sun/MS etc.

    With the ability to deploy clusters using multiple means from Ultramonkey downwards and the proliferation of virtualisation and hypervisor technologies we are able to scale architecture to fit the needs of the datacentre and the enterprise alike.

    We are able to ride off the backs of our community brethren to build, deploy and support scalable architectures but we don’t want to find ourselves always playing catch up.

    We’re not in a turf war more in a holding pattern without the guns to start an assault :)