Category: News

“A corporate Linux or open-source user that lacks indemnification and product warranty will expend its own time, money and resources fighting legal action,” said Laura DiDio, senior analyst for application infrastructure and software platforms at The Yankee Group. DiDio said that in the absence of indemnification or specific indemnification provisions, corporations could be the target of an intellectual property lawsuit that they would be forced to defend using their own money and resources.

In some cases, such as free open-source software, beta test software, steeply discounted software or software produced by nonprofits, the vendor may not realize enough of a profit to justify the cost of indemnifying its customers, DiDio said.

“Novell believes open-source software poses no greater risk of intellectual property infringement than does closed-source software, something this Yankee press release certainly doesn’t convey,” said Bruce Lowry, public relations director at Novell. “There’s been a lot of noise in the market around this issue of late, fanned by Microsoft and actions like this from the Yankee Group, but we’re not aware of any patent claim being filed against an open-source offering,” Lowry said.

“Prior to the announcement of blanket and total indemnification, if any user of Microsoft’s software was sued for patent infringement, the incentives would preclude Microsoft from abstaining and leaving their customer on their own, because if the customer lost, that would set precedent against the same Microsoft software used by anyone.”

Therefore, “in order to prevent the software from being stopped, Microsoft would—even without having given an indemnification—want to be involved with any case where its software is accused of infringement in order to protect, not its customer per se, but its software,” Ravicher said.

http://www.eweek.com/article2/0,1759,1743663,00.asp?kc=EWRSS03119TX1K0000594

In a report made public this week, the Office of Inspector General in the DHS warned that the audit turned up weaknesses in the systems used to avoid unauthorized access.

“Due to these remote access exposures, there is an increased risk that unauthorized people could gain access to DHS networks and compromise the confidentiality, integrity, and availability of sensitive information systems and resources,” the report said.

The OIG also discovered that the DHS does not provide adequate or effective system security controls over remote access to its computer systems and data.

“In assessing the effectiveness of remote access controls, we identified several problems related to remote access host configurations, system patching, and the control of modems.

On the findings that system patches were not applied, Cooper said that all of the patches identified in the audit were in testing to be implemented.

http://www.eweek.com/article2/0,1759,1743639,00.asp?kc=EWRSS03119TX1K0000594

The first GPS policy update in eight years strongly reaffirms the U.S. commitment to GPS technology, a positive signal for companies that develop, market and export related products for commercial, scientific and military uses. The United States will begin an aggressive promotion and tighter coordination oversight of its Global Positioning…

Though no company names were mentioned by Nessus leaders during their recent announcement, the popular vulnerability scanner reportedly is used in many commercial security products and services.

I got [responses that ranged from] looks of disbelief to veiled threats in some cases,” said Ron Gula, a Nessus project manager and president and CTO at Tenable Network Security, which also manages the Nessus project. “The vendors who were using Nessus and not contributing anything to it were not happy.”

Jay Jacobson, CEO of Edgeos Inc. in Phoenix, would be screaming if people took credit for his creation for years.

A wide range of testing gizmos are available that can perform security vulnerability assessments, including basic port scanners, network and OS vulnerability assessment tools — even complex Web application penetration testing programs.

Almost all of the Nessus engine is made by those at Tenable, which includes Nessus founder Renaud Deraison as its chief research officer.

“It is difficult to financially justify releasing the work of a corporate developer to the open source community when that developer is supported by thousands of dollars of equipment, salary and benefits,” said Richard Bejtlich, technical director for the Monitoring Operations Division of ManTech’s Computer Forensics and Intrusion Analysis group.

In response to the “exploitation” of his brain child, Deraison, who still leads the Nessus project, announced that Nessus feeds will still be available in three forms: for a fee; for those who register, but with a seven day delay; and under copyright as part of the GNU Public License.

A “Registered Feed” is available for free to the general public, but new plugins are added seven days after they are added to the Direct Feed.

Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and GPL feeds at the same time.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1034903,00.html

“We asked NSA to build an IA architecture. NSA did a knock-your-socks-off job of doing this,” Guthrie said today at a lunch the American Council for Technology and Industry Advisory Council sponsored in Arlington, Va.

The IA component calls for integrating security into the GIG by, among other things, authenticating credentials and security clearances. NSA will put together a GIG Information Assurance Portfolio so DOD can have a go-to agency if portions of the grid lack adequate security, Guthrie said.

“NSA will deliver a vision for what it’s going to take to secure the environment,” she said. “This is a blueprint for us to effect this broad IA environment.”

Guthrie also said the Pentagon is getting out of the business of application integration and moving more toward data-level integration.

http://gcn.com/vol1_no1/daily-updates/31383-1.html

The conclusion is the result of a four-year research project conducted by code-analysis company Coverity, which plans to release its report on Tuesday.

The project found 985 bugs in the 5.7 million lines of code that make up the latest version of the Linux core operating system, or kernel.

A typical commercial program of similar size usually has more than 5,000 flaws or defects, according to data from Carnegie Mellon University.

“Linux is a very good system in terms of bug density,” said Seth Hallem, CEO of Coverity, a San Francisco company that makes flaw-detection tools for software written in C and C++ programming languages.

Code-analysis tools typically use software-design principles to analyze a program’s source code and flag any possible problems. Microsoft already uses such tools widely in its internal development, and many compilers are starting to include rudimentary versions of the programs as well. The tools are also being used to tame the wild coding prevalent around the Web.

Though Coverity does not have any data about the relative frequency of flaws in Microsoft’s Windows operating system, the latest data will likely feed the debate between the various proponents of Linux, Mac OS X and Windows over which operating system is more secure. A recent report, for example, found that Red Hat Linux had fewer critical flaws than Microsoft Windows. Another research paper, prepared by Forrester Research and hosted on Microsoft’s Web site, favored Windows. Yet another code analysis firm, however, last year analyzed the core networking code used in Linux and found few flaws.

Coverity has not analyzed the source code to Microsoft Windows because the company does not have access to the source code, Hallem said.

Apple Computer’s Mac OS X has a great deal of proprietary programming, but the core of the operating system is based on BSD, an open-source operating system similar to Linux.

Hallem stressed that the research on Linux–specifically, version 2.6 of the kernel–indicated that the open-source development process produced a secure operating system. “There are other public reports that describe the bug density of Windows, and I would say that Linux is comparable or better than Windows,” he said.

A representative of Microsoft could not immediately comment on the Coverity study.

The research suggests that the Linux kernel scored better than run-of-the-mill commercial code.

Proprietary software, in general, has 1 to 7 flaws per thousand lines of code, according to an April report from the National Cybersecurity Partnership’s Working Group on the Software Lifecycle, which cited an analysis of development methods by the Software Engineering Institute at Carnegie Mellon University.

For a 5.7 million-line program, such as version 2.6 of the Linux kernel, that roughly adds up to between 5,700 and 40,000 flaws.

Microsoft uses analysis tools similar to those in Coverity’s study to vet its Windows code. One tool, known as PREfast, runs on each developer’s workstation to check code for simple problems. The other tool, PREfix, is run every night on the Windows source code to catch more complex issues.

Coverity’s Hallem acknowledged that by running similar tools to its own, Microsoft likely had reduced the number of defects in Windows. Coverity plans to provide regular bug analysis reports on Linux and make a summary of the results available to the Linux developer community.

http://news.com.com/Security+research+suggests+Linux+has+fewer+flaws/2100-1002_3-5489804.html?tag=nefd.top