Mark Litchfield wrote: > I have heard the comment "It's a huge conflict of interest" for one > company to provide both an operating platform and a security platform" > made by John Thompson (CEO Symantec) many times from many different > people. See article below. > > http://www2.csoonline.com/blog_view.html?CID=32554 To be fair to John Thompson of Symantec, he didn't mention Microsoft by name. So I'm not going to go there. Others (Jeremy Kirk) already have. I think John Thompson has a point and, in theory, this issue applies to other vendors. If a vendor offers both an operating system and a security platform for that operation system, there is a conflict of interest. Vendors are not being responsible if they don't take reasonable measures to provide security built-in to the operating system. On the other hand, vendors have every right to provide a security platform that offers enhanced security. If I have a web server serving public documentation, I might not want much more than an operating system with a firewall, that is patched regularly and has been hardened in accordance with best practice. On the other hand, for a bastion host on my network, I might want all of the above plus more advanced security features such as mandatory access control, intrusion detection capabilities, enhanced logging etc. The conflict of interest lies in how we define "reasonable measures". This is a gray area. How much security does a vendor have to provide by default? If a vendor wants to sell licenses for its security platform, there has to be some added value to the customer. The temptation is for the vendor to remove security features from the base operating system and only make them available in the security platform. The security of the base operating system suffers so the vendor can sell more licenses for the security platform. The vendor must be responsible in deciding what security features should be considered optional. I won't attempt to define a complete subset of these features in this email, but you'd hope that no vendor would consider security updates as an optional extra. Thanks, Paul