Bugtraq mailing list archives

Re: Your Opinion

From: Paul Stepowski <p.stepowski () qut edu au>
Date: Tue, 20 Mar 2007 11:05:13 +1000

Mark Litchfield wrote:

I have heard the comment "It's a huge conflict of interest" for one
company to provide both an operating platform and a security platform"
made by John Thompson (CEO Symantec) many times from many different
people.  See article below.

http://www2.csoonline.com/blog_view.html?CID=32554


To be fair to John Thompson of Symantec, he didn't mention Microsoft by name.
So I'm not going to go there.  Others (Jeremy Kirk) already have.  I think John
Thompson has a point and, in theory, this issue applies to other vendors.  If a
vendor offers both an operating system and a security platform for that
operation system, there is a conflict of interest.

Vendors are not being responsible if they don't take reasonable measures to
provide security built-in to the operating system.  On the other hand, vendors
have every right to provide a security platform that offers enhanced security.

If I have a web server serving public documentation, I might not want much more
than an operating system with a firewall, that is patched regularly and has been
hardened in accordance with best practice.  On the other hand, for a bastion
host on my network, I might want all of the above plus more advanced security
features such as mandatory access control, intrusion detection capabilities,
enhanced logging etc.

The conflict of interest lies in how we define "reasonable measures".  This is a
gray area.  How much security does a vendor have to provide by default?  If a
vendor wants to sell licenses for its security platform, there has to be some
added value to the customer.  The temptation is for the vendor to remove
security features from the base operating system and only make them available in
the security platform.  The security of the base operating system suffers so the
vendor can sell more licenses for the security platform.

The vendor must be responsible in deciding what security features should be
considered optional.  I won't attempt to define a complete subset of these
features in this email, but you'd hope that no vendor would consider security
updates as an optional extra.

Thanks,

Paul

Current thread:

Re: Your Opinion, (continued)
- Re: Your Opinion Crispin Cowan (Mar 16)
- Re: Your Opinion William A. Rowe, Jr. (Mar 16)
- RE: Your Opinion Scott Blake (Mar 16)
- Re: Your Opinion The Fungi (Mar 17)
- Re: Your Opinion Casper . Dik (Mar 17)
  - RE: Your Opinion Jim Harrison (Mar 20)
- RE: Your Opinion Jim Harrison (Mar 17)
  - RE: Your Opinion Alex Eckelberry (Mar 19)
  - Re: Your Opinion Andrew Kramer (Mar 20)
- Re: Your Opinion Forrest J. Cavalier III (Mar 19)
- Re: Your Opinion Paul Stepowski (Mar 20)
- Re: Your Opinion Neil Dickey (Mar 16)
  - Re: Your Opinion Jack Lloyd (Mar 20)
- RE: Your Opinion jay.tomas (Mar 20)
  - RE: Your Opinion Jim Harrison (Mar 20)
- RE: Your Opinion Neale Green (Mar 21)