OpenBSD Journal

IEEE Begins Standard to Create Baseline for More Security

Contributed by jose on from the standards- dept.

Charles Hill writes: "The ability to enhance security in information systems and networks is limited by the operating systems that underpin them. Recognizing this, the Institute of Electrical and Electronics Engineers (IEEE) has begun work on a standard to formulate consistent baseline security requirements for general-purpose (GP), commercial, off-the-shelf (COTS) operating systems.

Businesswire story

This sounds like a baseline standard, a step below the Common Criteria (CCEVS). Well, a non-governmental standard anyway."

People have been trying to do this for a long time, but it's plauged by he complexity of the situation and the dynamicism of industry. We'll see what comes of this, but remember what happened to the Rainbow books and the Common Criteria.

(Comments are closed)

  1. By Anonymous Coward () on

    I hope this isn't just going to be a 'standard' where 'lots of money' is the baseline criteria for claiming complience.

  2. By Anonymous Coward () on

    This is stupid, just as all the other "security" certifications and whatnot are. It's an "information security" mantra that you can't bolt on security so why/how would another worthless "certification" be effective?

    Would Windows suddently become secure? Would worms stop working? Viruses fail? Would programmers the world over suddenly stop writing exploitable code because someone said "don't write exploitable code"?

    I think not.

    The first step in secure OS's it to fire the hype spewing marketing types who drive needless feature development on timetables that are inpossible to meet without cutting corners.

    You don't seen that type of marketing with OpenBSD, do you? And look at the OpenBSD errata versus the now marketing drive Red Hat.

    Security standards are a joke and defy even their own logic.

    1. By Anonymous Coward () on

      And have you heard of these IEEE POSIX standards ? What a joke are they ? Who needs "standards compliant" ? Everybody knows that the mantra of interoperability is untrue. No one has ever benefited this so called portability. What a load a crap. Look at OpenBSD - it doesn't care about POSIX does it ? Who needs it! OpenBSD and all O/S's can survive without it.


      Get real. A lot of IEEE standards are very effective for what they do - and if this is executed by the right people and taken the right direction, then it could be as well. No standard is going to be a silver bullet for security - but at least it may contribute to raising the bar.

  3. By tedu () on

    in RFC format:

    The secure system MUST have passwords. They SHOULD be hard to crack. Easy to crack passwords SHOULD be identified as such.

    The secure system MAY NOT transmit virueses. As an OPTIONAL extension, it MAY quarantine them.

    Viewing of pr0n SHOULD be restricted. Users MUST be 18 years old.

    1. By Anonymous Coward () on

      VIRUSES: The secure system MAY NOT transmit virueses. What about on Tuesdays?

    2. By Anonymous Coward () on


  4. By butthead () nope@nodda.not on mailto:nope@nodda.not

    They can just create a page that says "See OpenBSD.".


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]