JeffOS EAL4+ Secure System

(read my background article first) JeffOS gets EAL4+ certification… not really.  Primarily because I haven’t created JeffOS.  But hey, I’m thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation.  What?  Does the evaluated configuration make a difference?  IF JeffOS is evaluated EAL4+, doesn’t that mean all of JeffOS is certified?  I’m afraid not, security super friends.  Take a look … Read more »

The Importance of the “Evaluated Configuration” in Common Criteria Evaluations

How many of you have heard of the Common Criteria ?  If you’ve ever done security work with government, you probably have.  If not, then possibly not.  Either way, read on and I’ll give you my own view, including some of the barnacles clinging to the hull of the general program. Common Criteria Background Way back in the depths of computing history, government departments used to issue request for proposal … Read more »

Coverity Confused Claims Cause Consternation and Confusion

Okay, maybe it only causes me consternation, but this is exactly the sort of thing that raises my temperature.  With the academic background of Coverity founders, one should expect a certain amount of rigor and care when it comes to analysis and conclusions, but I find myself disappointed. Jeff, you say, what are you talking about!?!? It’s been a while now, but you may recall a headline similar to this … Read more »

Workload Vulnerability Index

In the recent Risk Report: A Year of Red Hat Enterprise Linux 4 in Red Hat Magazine, Mark Cox defined an interesting new security metric, the Workload Vulnerability Index, that provides a weighted measure of the impact that ongoing security vulnerabilities have to those doing patching.  Here is how the report defines it: This vulnerability workload index gives a measure of the number of important vulnerabilities that security operations staff … Read more »

Washington Post – A Time to Patch III: Apple

You’ve probably already read Brian Krebs article A Time to Patch III: Apple, but if you haven’t, I encourage you to read it and read the various responses he received – the responses run the gamut of Linux advocates (“You do understand that Mac OS X is not a version of Linux, and is not an open source OS in the usual sense of the word?”), conspiracy theorists (“…This sounds … Read more »

On Disingenuous Analysis and Transparency

So, I am perusing security blogs this weekend and I read this interesting entry by Mark Cox of Red Hat about transparency where he says “…the Microsoft PR engine has been churning out disingenuous articles and doing demonstrations based on vulnerability count comparisons.”    In general, I think Mark’s a good guy with a hard job, doing the best he can to be open and transparent.  In my opionion, his team … Read more »

Microsoft and Security

As my first content-ful blog topic, I want to digress a little and talk about security and Microsoft and my own opinions on how both relate.  After all, I work at Microsoft as a Director in the Security group and my blog is a Microsoft technet blog.  I imagine that it might be helpful in future discussions if I articulate certain opinions and assumptions that help form the context for my personal viewpoint.  I … Read more »

Obligatory Introduction and Welcome

After waffling and talking about it for a long time, I’ve finally started my security blog.  As with any new adventure, I should pause for a few solemn moments and reflect upon how I reached this point of our story. I’m a Hoosier born and bred, from the southern part of the state, though I haven’t lived there in 20 years.  I’m a Purdue and later USC grad in computer engineering. … Read more »