Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Your Opinion

from [Jonathan Glass (GM)] Network Security [Permanent Link]
Subject: Re: Your Opinion
Date: Fri, 16 Mar 2007 15:36:00 -0400 
Mark Litchfield wrote:

I have heard the comment "It's a huge conflict of interest" for one company to provide both an operating platform and a security platform" made by John Thompson (CEO Symantec) many times from many different people. See article below.

http://www2.csoonline.com/blog_view.html?CID=32554

In my personal opinion, regardless of the vendor, if they create an OS, why would it be a conflict of interest for them to want to protect their own OS from attack. One would assume that this is a responsible approach by the vendor, but one could also argue that their OS should be coded securely in the first place. If this were to happen then the need for the Symantec's, McAfee's of the world would some what diminsh.

Anyway I am just curious as to what other people think.

Thanks in advance

Mark

I think it's a conflict of interest for the OS vendor to become a Security platform vendor for a couple of reasons.

First, if a vendor made security a priority in the SDLC for the OS and wrote secure code, then the security platform market wouldn't exist. It's good to see Microsoft making great strides in this area.

Second, since they develop the operating system, they have a more detailed understanding of the potential vulnerabilities in their product. Since they have this in-depth knowledge, they have to make a decision about protection. Should they fix the problem with a free OS-patch and release it as part of their normal patch cycle? Or, should they include 'protection' for these vulnerabilities in their 'security product' which is a premium add-on to their base OS product, and includes maintenance/licensing costs?

If you're a conspiracy nut, or just a Microsoft-hater, you're more likely to believe the latter. If you're a pro-Microsoft fan, then you're likely to believe the former. Unfortunately, because Windows and the Microsoft security products are black boxes, we, the security community, have no way of knowing which choice they've made.

Third thought: If a company makes a security product, there's always the question as to whether or not the vendor makes securing the OS or improving the security product a priority.

Just the $0.02 of a raving lunatic.

Thanks

Jonathan

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Your Opinion, bugtraq
Next by Date:  RE: Your Opinion, Mario Contestabile
Previous by Thread:  Re: Your Opinion, bugtraq
Next by Thread:  RE: Your Opinion, Mario Contestabile
Indexes:  [Date] [Thread] [Top] [All Lists]