You gotta be careful about this EAL stuff. Linux itself isn't certified at all. It's a particular implementation of Linux that gets certified, and NONE of them are certified at EAL5 (yet). A few implementation of Linux are certified at the EAL4+ level (which essentially means they meet all the criteria of EAL4 and then some).
Also, the "security code by the NSA" is NOT part of Linux (out of the box). Security Enhanced Linux (SELinux) is a set of mods that can be applied to Linux distros.
So, while it MIGHT be ok to tell your CIO that Linux is inherently more secure than Windows, it is NOT OK to tell her or him that NSA-written code ensures this.
Slashdot Mirror
http://www.catalystsecure.com/
Yep, I totally agree.
You gotta be careful about this EAL stuff. Linux itself isn't certified at all. It's a particular implementation of Linux that gets certified, and NONE of them are certified at EAL5 (yet). A few implementation of Linux are certified at the EAL4+ level (which essentially means they meet all the criteria of EAL4 and then some). Also, the "security code by the NSA" is NOT part of Linux (out of the box). Security Enhanced Linux (SELinux) is a set of mods that can be applied to Linux distros. So, while it MIGHT be ok to tell your CIO that Linux is inherently more secure than Windows, it is NOT OK to tell her or him that NSA-written code ensures this.