[Fed-Talk] RE: Fed-talk Digest, Vol 5, Issue 84
[Fed-Talk] RE: Fed-talk Digest, Vol 5, Issue 84
- Subject: [Fed-Talk] RE: Fed-talk Digest, Vol 5, Issue 84
- From: "Kim Cummings" <email@hidden>
- Date: Tue, 1 Apr 2008 16:48:50 -0400
- Thread-topic: Fed-talk Digest, Vol 5, Issue 84
Re: 2. OS security guides: Microsoft way ahead of Apple (Rex Sanders)
In general, I try not to post on here too much, and yet lately, I seem
to be doing it a lot.
If you are going to be fair, you are leaving out a LOT of history of the
Windows guides. I know,
I was there through all of it.
The Windows guides went through a number of versions before they were
ever written by Microsoft.
Those versions were done by NSA, and did not come out concurrent, or
even close to, the shipment
of the product. This had far less to do with the fact that NSA was
doing it instead of Microsoft,
and far more to do with the fact that it was new. The Windows guides
were the first ones done.
Testing and preparation took a long time.
By the time Microsoft took over handling of the guides, they had already
been fairly well developed,
and the basic format and content was set. It was at a point in
development where the guides were much
more ready to be updated as an iterative process. This is not
denigrating any of the work Microsoft has
done; the Windows guides were just further along in the process when
they took over.
In contrast, Apple took over the OS X guides after only one iteration by
NSA. It was the first time they'd
ever done anything like this, and these guides are much different than
their normal type of documentation.
The first one was a steep learning curve for them. Add to it that we
(NSA) purposely left things out of
the first set of guides to get them out quicker, knowing these areas
would need to be added and addressed later.
So Apple is trying to restructure these guides and add to the guides as
they go along. They are not just
updating previous guides for the new OS.
This time around, too, we are doing something that hasn't been done
before. We (Apple and NSA) are
collaborating with DISA and NIST, bringing in elements they need in the
documents as well, so that these guides
will be more useful. It has meant that the guides are not coming out as
soon as we would have liked - which
would, of course, have been concurrent with the release of Leopard. But
the decision was made that now
was the time to bite the bullet and take the hit on time to get this
done.
As time goes by, and Apple has more seasoned guides to work from for
further updates, I would expect that,
like Microsoft, they WILL be able to have a quicker turn-around, and get
the guides out concurrent with
or shortly after an OS release.
>Message: 2
>Date: Mon, 31 Mar 2008 16:00:15 -0700
>From: Rex Sanders <email@hidden>
>Subject: [Fed-Talk] OS security guides: Microsoft way ahead of Apple
>To: email@hidden
>Message-ID: <p06230921c4171ab0b768@[130.118.62.71]>
>Content-Type: text/plain; charset="us-ascii"
>
>http://www.networkworld.com/news/2008/032608-microsoft-security-concern
s.html?fsrc=netflash-rss
>
>"Arsenault pointed out that the first operating system hardening guide
>Microsoft wrote for Windows 2000 came 18 months after shipment of the
>product; the next (for XP Service Pack 2) was within 90 days of product
>shipment. With Vista and other new products, Microsoft ships the
hardening
>guide along with the product."
>
>XP SP2 shipped August 25, 2004, Vista shipped January 30, 2007.
>
>Mac OS X Leopard shipped October 26, 2007.
>
>Maybe we'll get a security guide next month - 5-6 months after Leopard
shipped.
>
>Apple really needs to catch up to Microsoft here, especially for the
>Federal market.
>
>-- Rex
------------------------------
_______________________________________________
Fed-talk mailing list
email@hidden
http://lists.apple.com/mailman/listinfo/fed-talk
End of Fed-talk Digest, Vol 5, Issue 84
***************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden