Student Projects:Most Secure Platform
Contents
In Search of the Most Secure Platform
This group was initially started by El-Gammal and Tolba seeking other colleagues with similar project interests. Close proximity to the Seattle area is desired for easier meetings and collaboration.
Member List
Tolba
El-Gammal
Lin Huang
Eric Vandenberg
Man Xiong
Winfred Wong
Project Goals
At the heart of the claim of open source software’s inherent security over commercial software is Eric Raymond’s maxim that “Given enough eyeballs all bugs are shallow”. This project will take a closer look at the data to support or disprove the validity of this line of reasoning, investigate the effects of having the source code available for both the attacker and defender in both open source and commercial software and the claim of commercial software providers that open source software suffers from lack of accountability in dealing with security vulnerabilities. We will also investigate how software security impacted the procurement decision making process in large corporations and government agencies.
Brainstorming ideas
In attendance: Ahmed Tolba; Ahmed Tolba; Mohammed L El-Gammal; Eric Vandenberg; Man Xiong; Lin Huang
I think we have another member (Winfred ??) – If anyone knows his email, please resend including him…
Here is the outline of the document:
Title: In Search Of The Most Secure Platform
- Introduction
- OS vs IP background
- Security debate between OS vs IP
- Bug Trends and Security statistics (Interview/Sources from Mike Howard)
- Changes in user expectation on security
- Case studies (two examples?) – OS/IP
- Looking @ security bulletins
- End user perspective on security
- Economics of security
- Comparisons of security (OS / IP)
- Processes (dev, release, making changes, etc)
- Incentives to be secure (company, employee, OS committee, etc)
- Market share (impact of “security” gone broke)
- Openness of source (accessibility, read/write, restrictions, etc)
- Support/responsibility roles
- Initiatives and direction for security mitigation (OS / IP)
- Mitigation
- User evangelism
- Research
- Education
- Tools
- Looking ahead of security in OS / IP
Action Items:
- Mohammed: Send out a list of links for different ways to find sources. Eg, IEEE, research reports, factiva, etc. ETA: EOD Saturday.
- Amhed: Produce a draft based on the above.
- Eric: Send email to the prof to clarify who will read this thing.
- Collecting Sources:
- Eric/Winfred: Section #2
- Man: Section #3
- Mohammedd/Lin: Section #4
- Eric/Winfred: Section #2
Of course, if you find something good that doesn’t belong in your section, include it too!
--Eric End of Email Thread
Proposal Draft
In Search of the Most Secure Platform
Team Members (in alphabetical order)
- Ahmed Tolba
- Eric Vandenberg
- Lin Huang
- Man Xiong
- Mohammed El-Gammal
- Winfred Wong
Project Description
"In Search of the Most Secure Platform" explores myth and fact about the real security of Open Source Software versus its proprietary counterpart. The paper is intended to serve as a guide for policy makers responsible for software adoption decisions in sensitive areas. The focus would be more towards presenting an objective overview of security aspects pertaining to both choices rather than providing an absolute prescriptive recommendation. This insight would be substantiated by taking a deeper look at the making of software on both sides and examining fundamental reasons for inherent advantages or disadvantages for one method over its counterpart. Finally, the paper would present the latest initiatives and direction from both sides for making their camp more secure, thus ending the paper with an attempted look into the future of software security.
Subtopics
- Introduction
- History of Security
- Software applicability
- User perspective changes
- The Economy of Security
- The Open Source Movement
- History of Security
- Research into the bug-trends and security statistics
- Case study on 2 classes of proprietary products versus their open source counterparts
- Result analysis by examining
- Respective processes (dev, test, release and update)
- Incentives provided by both disciplines
- Market-share and impact on frequency of attack
- Source availability and relation to sophistication of exploits and how fast they are available
- Support and accountability factors
- Initiatives and direction when it comes to security (for both camps)
- Quality Control
- Mitigation
- User Evangelism
- Research
- Developer Education
Sources
Counterpoint: Linux vs. Windows Viruses
Too much trust in open source?
Microsoft's blast from the past
What Linux can learn from Windows
Windows: A lower Total Cost of Ownership
August 2003 – Worst Virus Season Ever?
Security Report: Windows vs Linux
Windows v Linux security: the real facts
The truth about the Linux vs. Windows level of security
Other interesting reading regarding Security, and Government stand.
Is Open Soruce Good for Security? http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html
Open Source Security: still a myth http://www.onlamp.com/pub/a/security/2004/09/16/open_source_security_myths.html
OPEN-SOURCE SECURITY http://infosecuritymag.techtarget.com/articles/march01/features1_open_source_sec.shtml
Open Source Security for the Federal Government http://www.coolheads.com/egov/opensource/topicmap/ts0/tp240.html
UK government backs open source http://news.zdnet.com/2100-3513_22-945784.html The OGC said it was satisfied that open-source software could provide good enough security for government systems. "Properly configured open-source software can be at least as secure as proprietary systems, and is currently subject to fewer Internet attacks," it said, adding that in some cases mainstream proprietary products may be significantly less secure than open-source alternatives.
Open source is fertile ground for foul play http://www.devx.com/opensource/Article/20111
Q&A: Does the U.S. government have an open-source security plan?
http://www.linuxworld.com/story/32813.htm
Open source intrusion prevention test tool released http://www.vnunet.com/news/1159172
Government Computer News (GCN) daily news -- federal, state and ... http://www.gcn.com/vol1_no1/daily-updates/24339-1.html
eGovOS http://www.egovos.org/Conferences
- LinHuang 19:18, 7 Nov 2004 (PST)
Sources for case studies:
1) A recent study on Windows vs Linux (pro windows) published by Forrester and recommended by Microsoft. Contains comparisons on responsiveness, thoroughness, and severity of security related bug fixes. http://www.microsoft.com/windowsserversystem/facts/analyses/vulnerable.mspx
2) A counter attack to the above study. Also full of data and analysis. http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux.pdf
- winfredw 00:18, 8 Nov 2004 (PST)
Additional case study sources:
Open source versus commercial firewalls: functional comparison. Patton, S. Doss, D. Yurcik, W. http://ieeexplore.ieee.org/iel5/7152/19253/00891032.pdf?tp=&arnumber=891032&isnumber=19253&arSt=223&ared=224&arAuthor=Patton%2C+S.%3B+Doss%2C+D.%3B+Yurcik%2C+W.%3B Worms, DoS, and other distributed security topics: David Moore, Geoffrey Voelker, and Stefan Savage.Inferring Internet Denial of Service Activity. Proceedings of the 2001 USENIX Security Symposium, Washington D.C., August 2001.
David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage.Internet Quarantine: Requirements for Containing Self-Propagating Code. Proceedings of Infocom 2003, San Francisco, CA, April 2003.
Stuart Staniford, Vern Paxson, and Nicholas Weaver.How to Own the Internet in Your Spare Time. Proceedings of the 2002 USENIX Security Symposium, San Francisco, CA, August 2002.
Division of Labor
The initial assignment of team members to sections is as follows
- Introductory Section: Winfred
- Security Statistics Research and Analysis: Man,<member3>
- Root Cause Analysis: Ahmed, Ericvan
- Initiatives and future direction: El-Gammal, Lin
--El-Gammal 11:50, 8 Nov 2004 (PST) : I'm also interested in sections 2&3 so I can help with those if needed.
