Re: [Fed-Talk] [Announce] iOS 5 - Security Configuration Recommendations - Posted at NSA
Re: [Fed-Talk] [Announce] iOS 5 - Security Configuration Recommendations - Posted at NSA
- Subject: Re: [Fed-Talk] [Announce] iOS 5 - Security Configuration Recommendations - Posted at NSA
- From: "Colvin, Ron (GSFC-700.0)[SGT INC]" <email@hidden>
- Date: Mon, 14 May 2012 20:12:53 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] [Announce] iOS 5 - Security Configuration Recommendations - Posted at NSA
Half-baked? Does that apply to the security guidance that Apple would be able to release at the time that it releases an Operating System? If so and all of the users are guinea pigs on what security controls should be in place I am not sure that we are getting the secure operating system that Apple promotes so hard. I am not aware of any other major OS vendor that does not release a best practices or hardening guide around the time of release. Without that Apple is implying either that no guidance is needed or all the users are on their own for whatever might happen. Since eventually a hardening guide comes out...
The importance of an NSA approved security guide, no matter how long it takes rather than a timely security guide fits into the PR security mindset rather than actual security controls and good configuration guidance. That fits right together with the PR related software releases for 10.5 today. Remove any trace of the malware that came with a root exploit and remove the ancient Apple provide Flash. No Java patch, no Safari patches...
Talking about half baked security guidance as something at Apple is avoiding ignores a very large number of security stories regarding Apple products where Apple was late to respond and gave incomplete advice.
Mobile
On May 14, 2012, at 7:00 PM, "Shawn Geddis" <email@hidden> wrote:
> On May 14, 2012, at 4:02 PM, Ron Colvin wrote:
>> On 5/14/12 3:43 PM, Shawn Geddis wrote:
>>> Fed-Talk members,
>>> As has been the case over the years with OS X, the first version of the iOS platform guidance has been both branded and posted directly by NSA as a result of guidance collaboration between our two organizations. This will be posted at http://www.apple.com/support/security/guides/ as well. Moving forward, the guidance will be branded under Apple, but will still result as a byproduct of continued guidance collaboration between our organizations.
>>>
>>> Collaboration and posting of SCAP content is the direction moving forward, so keep a lookout for more information on SCAP on Apple.
>>>
>> So we can expect a 10.7 security guide soon? Maybe even before 10.8 is released? As I have mentioned before waiting for so long after the release of the OS to get even a preliminary version of the Security Guide out is not helpful. It would be much better to get it out and then do revisions if necessary.
>
>
> Ron,
>
>> So we can expect a 10.7 security guide soon?
>
> All good things come in due time.
>
>> It would be much better to get it out and then do revisions if necessary.
>
> Half-baked/vetted guidance does more harm than good.
>
> As I recall, NASA uses the CIS Benchmark documents instead and I believe you and Allan Marcus (DOE/LANL) were even leading that out on OS X at one time. Has that policy changed and are you not involved anymore ?
>
> - Shawn
> ________________________________________
> Shawn Geddis T (703) 264-5103
> Security Consulting Engineer C (703) 623-9329
> Apple Enterprise Division email@hidden
>
> 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden