Great Circle Associates Firewalls
(April 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Vendors & security (was: Re: system() -> Mosaic)
From: david @ pooh . com (David Wolfskill)
Date: Mon, 11 Apr 94 20:06:56 PDT
To: firewalls @ GreatCircle . COM

>Date: Mon, 11 Apr 94 14:35:44 -0400
>From: Mark Moraes <Mark-Moraes @
 deshaw .

>However, grotesquely buggy software is a separate can of worms.  The last
>time I heard a software vendor talk about security, they (as always)
>focused on password aging schemes, C2 level security, etc.  Absolutely
>nothing about fixing many well-known problems (we had already documented
>those problems) in existing daemons, vetting the systems for basic
>security and code quality.  Sorry, to me, the latter is part of general
>operating system support.

Quite true -- but here, you're bringing up the issue of system
"integrity" -- which is different from, but closely related to,
security.  Indeed, I think of them as two side of the same coin: you
can't have one without the other.

There are some vendors (I *hope* the plural is justified!) who take
"integrity" seriously.  (I've spent the previous 12 years as an IBM
mainframe (MVS) systems programmer; defending IBM isn't something that
comes very natural to me....  :-}  Nevertheless, based on the system
maintenance that I did during that time, as well as converstaions with
IBMers & other systems folk, I got the distinct impression that IBM
treated "system integrity" as an extremely important issue.  This is
one respect in which I believe that IBM has had a good approach to such
things.  Of course, different parts of IBM may well treat such things
differently -- and the changes within IBM of late are certain to have
externaly visible changes, some of which may affect all of this.  Your
mileage may vary; void where prohibited, etc., etc.)

In any case, if there is a hole in the system integrity, there is
certainly the possiblity of a hole in its security... and vice versa.
We need to make sure that both vendors *and* the folks spending the
money are aware of the importance of both issues -- and that trying to
address one without the other is a lost cause... and certainly ought to
result in a lost sale.

Yours for trying to keep the vendors honest,
David H. Wolfskill				david @
 pooh .

Indexed By Date Previous: Re: system() -> Mosaic
From: Mark Moraes <Mark-Moraes @ deshaw . com>
Next: Monitoring E-mail traffic through firewall
From: Matt . Sherek @ plym . fingerhut . com (Matt Sherek)
Indexed By Thread Previous: BayLISA April Meeting: Paul Vixie
From: pomeranz @ sclara . qms . com (Hal Pomeranz)
Next: Monitoring E-mail traffic through firewall
From: Matt . Sherek @ plym . fingerhut . com (Matt Sherek)

Search Internet Search