August 5, 2003 6:11 AM PDT
SuSE Linux gets security credentials
It's a LinuxWorld
Read CNET News.com's complete
coverage from the Linux gathering.
Many governments require certification to the international Common Criteria standard before they're allowed to purchase a specific computing product. SuSE Linux Enterprise Server 8 running on IBM's Intel-based xSeries servers achieved Evaluation Assurance Level 2 (EAL2) of the Common Criteria, the companies announced in conjunction with the LinuxWorld Conference and Expo.
"It certainly raises the viability and increases the trust level of Linux in government contracts," IDC analyst Chris Christiansen said. Though commercial buyers don't usually give Common Criteria certification much more than passing notice, "the government market is very large," he said.
The certification is necessary for some of the Linux computers the Munich government plans to install, said Markus Rexx, vice president of development for SuSE, speaking at a news conference at the show. In addition, it will immediately open up about a dozen possible deals at the U.S. Department of Defense, said Dan Frye, head of IBM's Linux Technology Center.
Common Criteria certification ensures that software meets several security requirements. It also ensures that companies supporting the software meet requirements for documenting security features, handling vulnerabilities and testing products.
However, obtaining the certification is time consuming and expensive. "Unfortunately, only a few very large vendors of hardware and software can afford the certification process," Christiansen said.
While the move is important for Linux, the 12-year-old Unix-like operating system still lags competitors in the certification process. Microsoft's Windows 2000, along with Sun Microsystems' Solaris, IBM's AIX and Hewlett-Packard's HP-UX, have the higher EAL4 certification.
IBM spokesman Clint Roswell said Big Blue expects to receive EAL3 certification for SuSE Linux by the end of 2003, with EAL4 to come later. Also by the end of the year, IBM's Common Criteria certification for Linux will extend beyond the company's Intel servers to its other three server lines as well, he said.
Obtaining EAL2 certification typically costs between $400,000 and $500,000, Roswell said.
EAL4 is expected in about 18 months, Frye said. EAL2 certification was obtained for the standard version of SuSE's product; no modifications were required, he said.
IBM and SuSE will release "key components of the Common Criteria evaluation" to the Linux development community, the companies said.
Red Hat sells the most widely used version of Linux, a step ahead of No. 2 SuSE. Database giant Oracle is working with Red Hat to obtain Common Criteria EAL2 certification for its product by the end of the year.
One military customer expressed support for the move. "The Common Criteria certification of Linux will be a critical factor as Linux is applied to mission-critical environments," Fritz Schulz of the U.S. Defense Information Systems Agency (DISA) said in a statement.
In a separate announcement Tuesday, the Free Standards Group is expected to announce that the DISA now requires that Linux meet the FSG's Linux Standard Base specification before it may be used by the U.S. military. The standard will help ensure it's easier to move applications from one version of Linux to another, Schulz said.
IBM said it's working to create a version of SuSE's Linux that complies with another U.S. military requirement, the Common Operating Environment, software that shields military computer users from differences between numerous different operating systems.
The security of Linux is "pretty comparable to the security in commercial operating systems," said Neel Mehta, a research engineer at Internet Security Systems whose job is to pore through code looking for potential weaknesses. "I think software is becoming more secure, and Linux has followed the same trend. You don't see the simple vulnerabilities or simple coding errors to the same extent you would three or four years ago."
However, Mehta didn't agree with an argument many open-source advocates make, that the open nature of their software's underlying source code means more people can stamp out vulnerabilities.
"I don't think it's necessarily true that it's more secure because the source is out there," Mehta said. "Not everybody looks at it, and not everybody is qualified to evaluate software in an in-depth level."