Re: [Fed-Talk] Apple's security belly-flop
Re: [Fed-Talk] Apple's security belly-flop
- Subject: Re: [Fed-Talk] Apple's security belly-flop
- From: Joshua Krage <email@hidden>
- Date: Mon, 27 Feb 2006 10:38:45 -0500
- Mail-followup-to: email@hidden
On Fri, Feb 24, 2006 at 09:22:49AM -0800, Rex Sanders wrote:
> One of the few arguments for keeping Macs "under the radar" and on the
> desktop at many locations is a reputation for good security.
The issue isn't that they have bugs or security problems; all software
products have them to some degree. The issue is that Apple is not learning
from other people's mistakes and applying those lessons-learned to their
development process.
We've seen the same basic bugs, for which we mock Microsoft's products,
appear in OSX. Including this particular issue which isn't restricted to
just Safari. Including a variety of other OS-provided browser issues.
We see 10-year old vulnerabilities pop up in the base OS (NFS) that aren't
fixed until the next major release (four months after notification).
Take a look at the delay between public awareness of security issues and
Apple's acknowledgement and patch release. Very spotty. Some things are
released within a few weeks, some within a few months.
>From personal experience, I believe this article to be fairly factual
regarding Apples software development:
<http://www.zdnet.com.au/news/security/soa/Ancient_flaws_leave_OS_X_vulnerable_/0,2000061744,39234678,00.htm>
Darwin (the UNIX layer under OSX) is (now) fairly robust since its based off
of FreeBSD 5.x. Almost all of the problems identified have been with
Apple's add-ons which we know and love as OSX. This is typical of an
emerging software development culture.
> What can Apple say to regain their reputation for secure computing?
Actions, not words.
Microsoft finally realized this and is demonstrating improvement. They're
vocal about their long-term plans and has top people (including Gates!) are
advocating security now. Read any security 101 primer, and you'll see that
a security culture must be exemplified from the top.
Outside a few talented individuals like Shawn Geddis, Apple doesn't have any
security visibility. Where is Steve's security manifesto for Apple?
Yes, these issues, whether acknowledged or not, have been raised through a
variety of channels to Apple staff over the past few years. Net result?
--
------------------------------------------------------------------------
F. Joshua Krage, CISSP NASA Goddard Space Flight Center
email@hidden Code 700, IT and Communications Directorate
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden