Computer Security Criteria

Rolf Marvin Bøe Lindgren writes: "For most human endeavors that involve some sort of risk, there are powerful, recognized public interest groups or even government-appointed organizations that investigate and analyze dangers, prescribe guidelines, determine criteria for acceptable risk, etc. This does not seem to be the case for software! I work for a ship classification company. The purpose of such companies are, very simply put, to determine how safe seagoing vessels are, for instance in order that insurance companies can decide insurance premiums. There are, needless to say, numerous conventions and special interest groups to determine safety at sea. That is, as far as I know (and I would very much like to be proven wrong), except the computer systems that the ships use. there are restrictions, laws and regulations involved in just about any object that goes into a ship except the computer system. Everybody seems to know, for instance, that UNIX is safer that Windows, but there are no safety, reliability or security criteria established by any recognized authority that can be used to defend one computer system over another."

"Now, I could ask Slashdot how to go about to form a recognized body, but I have access to competence in that particular matter. What I would rather like to know, is this:

• What might a set of safety criteria be like (I am just now most interested in criteria for computer systems that would address such issues as vulnerability to worms, viruses and crackers)?
• How should one go about to find competent and interested people who would like to be part of a body like I describe, or consultants to one?

Depends on the Industry

[Arandir]

It all depends on the industry in question. Take as an example, light bulbs. When you buy a lightbulb for you bathroom light, no one really cares. But when you buy a light bulb for your car headlight, you start running into safety regulations. And when you buy a light bulb for your left airplane wing, the FAA is going to be breathing down your neck.

I help build software for invasive diagnostic medical devices. The FDA (and similar organizations for other nations) is very concerned about the software we use. They don't have a checklist of brands, makes and models of software, since that's not the nature of software. But they do audit our development process. ISO compliance is easy. FDA compliance is hard.

For our next project, some boneheads decided on Win2K and "embedded" Win2K. I personally think the decision is stupid. But it probably won't affect the final quality of the device. Why? Because it won't be a stock Win2K, it will be the embedded version, stripped of everything we don't need. We will be in charge of the hardware it runs on. It will be tested under rigorous protocols. Etc.

The FDA doesn't care that it will have Windows on it. But they will care that it operates safely. That means it can't crash while diagnosing a live patient.

Re:Most secure web server

[Glorat]

Here is another clue I got today from my uni lecturer. If you wanted to run a secure web server, would you run it on NT, Linux, Solaris or the Mac?

*Up go hands of Linux advocates*

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal

Back to the article, would a measurement take into account this type of situation? Does Mac get a high rating for low rate of incidents or a low rating because it (probably) has more bugs than Linux. Open question