Someone stole Symantec's source code five years ago. Since that time, the only people who knew about the exploits were Symantec and the bad guys. So when Christine Ewing, the product manager, says "malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits," she's only half-right. The … Continue reading Symantec explains why proprietary software is dangerous
The DOD keeps its own catalog of system vulnerabilities, the IAVM. You can think about this as the computer security alerting system for the DOD. If you get an IAVM, it will tell you what the vulnerability is, how critical it is, and if you need to patch it immediately. The rest of the world … Continue reading DISA releases IAVA-to-CVE mapping
IBM published a fantastic introduction to the security features of the KVM hypervisor (pdf), and how it compares to its competitors. I'll be referring to this a lot.
This is an expanded version of a document that I wrote for Red Hat internally. I'm now sharing it with all of you because I find myself reciting this information at least once a week. I hope you enjoy it. Please keep in mind that I'm not a lawyer, DAA, or procurement officer. All the … Continue reading A Common Criteria Primer
I'm setting up a new computer. I get through the registration screens, install my software, change my wallpaper, and everything's working fine. I'm left, though, with a lingering, uneasy feeling: I don't know if this machine is secure. I'm a computer guy, so I know how to set up strong passwords and firewalls, but I'm … Continue reading SCAP: Computer Security for the Rest of Us
The adorably named "Snort" project has been the mainstay of open source intrusion detection systems for as long as I can remember. The success of Snort and its commercial wing, SourceFire, is one of the early successes of open source, especially in security. On July 5th, the Open Information Security Foundation, a consortium of companies and … Continue reading Open Source Pork