From: "Vic Parat \(NSS\)" <[EMAIL PROTECTED]> I find it quite relevant in that the only true difference between a secure program and an insecure one is proper configuration /*my opinion*/.
I disagree, some programs, like Sendmail, just have inheirently bad architecture, and are more prone to vulnerabilities than their contemporaries, like postfix or qmail.
Now if this list is about "insecure programs, nothing more, nothing less" then why are items like telnet listed?
Sorry, the title said programs but I just meant computer items in general, pretty all encompassing.
Whose telnet, Sun's,Linux's,MS's? Telnet is a lot more then a program
I should have been more specific. What I really meant was that Telnet used to remotely administer systesm is not secure. There are a few minor legitimate uses for it, but for the most part I feel it should be avoided in favor of something like SSH.
What are your ten top criteria's for evaluating a tool (program, service, protocol, etc) in terms of security?
Mostly by looking at it's track record, and getting the opinion of other security workers.
Is the amount of coverage on SF your only one
No, but if it has a big list on SF, plus comes up on Slashdot all the time, and frequently releases security updates.......
What about product support?
Irrelevant to this discussion, we're talking about basic design issues, not support or maintainability issues.
Vendor history?
Definitely.
Open source vs. closed source?
Well, my personal opinion is that Open Source is the better model, but that doesn't mean all Closed Source products are inferior, I try not to weigh this factor too heavily.
Corporate policy?
For the most part I set Corporate Policy in this area, so no, not really.
Cost?
Thats not relevant to the discussion at hand.
Vendor reputation?
Yes.
Do you even have a formal set of criteria's that a tool must meet in terms of security
No, we're too small for that kind of bureaucracy.
or do the bean counters make the decisions for you?
Sometimes, but not when I can help it.
Oh, in case anyone is interested, here is the list as it currently stands after several days discussion (I gave up on putting them in order, too subjective):
1) Microsoft Outlook & Outlook Express 2) Telnet - when used for remote control 3) Sendmail 4) IIS Server 5) Wireless networking - Unless used with extreme paranoia 6) PHP - It seems to make it easy to write insecure code. 7) R services (rsh, rcp, rlogin) 8) ActiveX - mostly because of what it's used for not the actual protocol. 9) BIND 10) ?
Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates
"Encrypt everything, and ask questions later."
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
