Re: The possibility of vms opening up?

Main, Kerry wrote:

Having stated this, my concerns on security with open source are
primarily:

1. The notion of open systems security is based on having very
knowledgeable resources on the Internet that not only understand
security, but also security from the point of view of clustering,
threading, kernel mechanisms and increasingly complex application
environments.

open source clustering information can be found at least at the
following web pages
http://www.linux-ha.org/
http://www.beowulf.org/
http://openmosix.sourceforge.net/



However, while a very small number of these knowledgeable resources are
dedicated resources, most of the open source advocates have day jobs and
they do open source reviews when they get a chance. Over time, since
this majority are not being paid for these code reviews, they may lose
interest in constantly reviewing the hundreds of open source modules
being updated every day.

Since Novell have entered the linux market, alot of there employers get
paid to work on open source solutions. Lets not forget red hat and
osdl.
theo who maintains openbsd as a full time job and as anybody knows
there is proberly nobody in this planet who is passionate as security
as him.

2. If a security patch does get released, at the local level, who
ensures the patch does not break clustering, forward-backward
compatibility or other specific configs like an older version of the OS
? The responsibility for testing and ensuring OS compatibility with all
of the other OS and layered product patches falls on the shoulder of the
local IT person. For some shops with very knowledgeable technical staff,
that may be acceptable.

If you look at the linux kernel for instance, all fixes are released in
patches and support the older kernels for backward compatibility.
Freebsd is another example , where two versions are maintainted , the
older 5.x and the newer 6x.


Unfortunately, most large shops will understandably not introduce any OS
security patches without some degree of application testing first. This
means a great deal of additional effort is required to do all of the
monthly QA compatibility testing of applications. With Linux (and
Windows) releasing 7-20 *security* (not bug fixes) patches per month,
this QA testing impact is huge in terms of people, equipment, putting
new app testing on hold while OS security compatibility testing is
completed.

This is why to give two examples novell and red hat exist, to make
maintaining a linux system easy, with full support when needed.

The same testing effort applies to OpenVMS, but the very high rate at
which these monthly security patches occur on Linux (and Windows)
platforms makes this issue much larger. See RH security web site:
https://www.redhat.com/archives/enterprise-watch-list/ (click on thread
for each month and add them up)

No system is inherently secure without fixes, aless you restrict what
services are to be run, which is turn would make the system
featureless.
ie any system not on the internet is secure , as from external attacks,
but that user does not have e-mail, usenet, a web server , ssh, irc
,,etc...
One has to take risk otherwise the internet would never exist in the
first place beyond say DARPA .


3. Most large companies are moving big time away from having their IT
staff twiddle in the OS weeds with custom OS level patching. In their
mgmts view, that is why they pay vendors for support contracts. The IT
Staffing costs typically dwarf any support contracts (usually 50-60% of
IT budget), so the cost of support contracts is not as big as some
promoters of open source would like everyone to believe. These large
Cust Managers would rather have their senior IT folks looking at ways to
better integrate their applications and or otherwise provide added value
to the business.

I never said open source cannot live without vendors support contracts.
Of course a buisness does wants whats best for his buisness . open
source or closed source, having said that, some closed source licences
are so astronomically high, buisness have no choice but to choose
cheaper options and open source quite often is chosen in favour of
closed source.

.

Relevant Pages

  • Re: MS Not Trust ist PSS/Gold Partners with Early Security/Vuln.
    ... As far as early release of specific information about a vulnerability, ... awaiting the patch. ... > attempt to maintain the veiled image of "real security", ... > both chose open source solutions. ...
    (microsoft.public.security)
  • REVIEW: "Open Source Security Tools", Tony Howlett
    ... The tools listed in this book are for network security, ... Chapter one outlines the open source concept, ... most reviews of software tools, and the details are clear for all who ...
    (comp.security.misc)
  • REVIEW: "Open Source Security Tools", Tony Howlett
    ... The tools listed in this book are for network security, ... Chapter one outlines the open source concept, ... most reviews of software tools, and the details are clear for all who ...
    (alt.computer.security)
  • Re: DHS Open Source Hardening Project
    ... Vulnerability Discovery and Remediation, Open Source Hardening ... tighten up code in regards to security? ... co-authored three books. ... seems to be well upstream from the Fedora Project. ...
    (Fedora)
  • Re: How to Maintain an IIS Server?
    ... >>> I looked at the Microsoft Security Website. ... >> before a firewall and antivirus have been installed]. ... >> new patches that are missing, ...
    (microsoft.public.inetserver.iis.security)
Loading