Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Your Opinion

from [Paul Stepowski] Network Security [Permanent Link]
Subject: Re: Your Opinion
Date: Tue, 20 Mar 2007 11:05:13 +1000 
Mark Litchfield wrote:

I have heard the comment "It's a huge conflict of interest" for one
company to provide both an operating platform and a security platform"
made by John Thompson (CEO Symantec) many times from many different
people.  See article below.

http://www2.csoonline.com/blog_view.html?CID=32554


To be fair to John Thompson of Symantec, he didn't mention Microsoft by name.
So I'm not going to go there.  Others (Jeremy Kirk) already have.  I think John
Thompson has a point and, in theory, this issue applies to other vendors.  If a
vendor offers both an operating system and a security platform for that
operation system, there is a conflict of interest.

Vendors are not being responsible if they don't take reasonable measures to
provide security built-in to the operating system.  On the other hand, vendors
have every right to provide a security platform that offers enhanced security.

If I have a web server serving public documentation, I might not want much more
than an operating system with a firewall, that is patched regularly and has been
hardened in accordance with best practice.  On the other hand, for a bastion
host on my network, I might want all of the above plus more advanced security
features such as mandatory access control, intrusion detection capabilities,
enhanced logging etc.

The conflict of interest lies in how we define "reasonable measures".  This is a
gray area.  How much security does a vendor have to provide by default?  If a
vendor wants to sell licenses for its security platform, there has to be some
added value to the customer.  The temptation is for the vendor to remove
security features from the base operating system and only make them available in
the security platform.  The security of the base operating system suffers so the
vendor can sell more licenses for the security platform.

The vendor must be responsible in deciding what security features should be
considered optional.  I won't attempt to define a complete subset of these
features in this email, but you'd hope that no vendor would consider security
updates as an optional extra.

Thanks,

Paul
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Conflict of Interest - My summary, crazy frog crazy frog
Next by Date:  RE: Your Opinion, Jim Harrison
Previous by Thread:  Re: Your Opinion, Forrest J. Cavalier III
Next by Thread:  Re: Your Opinion, Neil Dickey
Indexes:  [Date] [Thread] [Top] [All Lists]