If security was a product. But it isn't, and this article doesn't pass the laugh test.

I'm not actually sure if Hal's argument makes any more sense than saying "If security standards were built into C/C++, there would be fewer exploits." There could be programming practices that will result in better code, but changing the tool will do nothing without changing the process of those who implement.

Linux is something that can be implemented several ways -- it's a tool. On one end of the spectrum, the NSA has an implementation using mandatory access controls, on the other Tivo has another implementation running a high-end VCR.

What's saying that Hal's nebulous standards is going to do anything other than lock most implementations down into a cookie-cutter application?

Most of the standards that Hal's referring to, like the IETF ones, etc, were developed for *interoperability*. These standards are so systems and processes can intercommunicate.

Security controls are determined on acceptable levels of risk. Frankly, there's a lot more to security than deploying a "secure OS".

At least he didn't start off about how his military training taught him to defend a perimeter around a beer garden and how that's somewhat analogous to UNIX security. As a former USMC Infantryman (combat decorated in Somalia) I think his comparison is just silly.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/207/24428#24428