Linux gains security boost

IBM and SuSE Linux have obtained a crucial security certification that will make the open source operating system an option for demanding military and government customers. Many governments require certification to the international Common Criteria standard before they are allowed to purchase a specific computing product. SuSE Linux Enterprise Server 8 running on IBM's Intel-based xSeries servers has achieved Evaluation Assurance Level 2 (EAL2) of the Common Criteria and the companies are expected to announce it at the LinuxWorld Conference and Expo. IDC analyst Chris Christiansen said: "It certainly raises the viability and increases the trust level of Linux in government contracts.

He said that while commercial buyers don't usually give Common Criteria certification much more than passing notice, "the government market is very large". Common Criteria certification ensures software meets several security requirements. It also ensures that companies supporting the software meet requirements for documenting security features, handling vulnerabilities and testing products.

However, obtaining the certification is time consuming and expensive. Christiansen said: "Unfortunately, only a few very large vendors of hardware and software can afford the certification process." While the move is important for Linux, the 12-year-old Unix-like operating system still lags competitors in the certification process. Microsoft's Windows 2000, along with Sun Microsystems' Solaris, IBM's AIX and Hewlett-Packard's HP-UX, have the higher EAL4 certification.

IBM spokesman Clint Roswell said IBM expects to receive EAL3 certification for SuSE Linux by the end of 2003, with EAL4 to come later. Also by the end of the year, IBM's Common Criteria certification for Linux will extend beyond its Intel servers to IBM's other three server lines as well, he said.

Roswell said obtaining EAL2 certification typically costs between $400,000 and $500,000. IBM and SuSE will release "key components of the Common Criteria evaluation" to the Linux development community, the companies said. Red Hat sells the most widely used version of Linux, a step ahead of number two SuSE. Database giant Oracle is working with Red Hat to obtain Common Criteria EAL2 certification for its product by the end of the year.

One military customer expressed support for the move. Fritz Schulz of the US Defense Information Systems Agency (DISA) said in a statement: "The Common Criteria certification of Linux will be a critical factor as Linux is applied to mission-critical environments."

In a separate announcement today, the Free Standards Group is expected to reveal that the DISA now requires that Linux meet the FSG's Linux Standard Base specification before it may be used by the US military. The standard will help ensure it's easier to move applications from one version of Linux to another, Schulz said. IBM said it's working to create a version of SuSE's Linux that complies with another US military requirement, the Common Operating Environment software that shields military computer users from differences between numerous different operating systems. Neel Mehta a research engineer at Internet Security Systems, said the security of Linux is "pretty comparable to the security in commercial operating systems".

He said: "I think software is becoming more secure, and Linux has followed the same trend. You don't see the simple vulnerabilities or simple coding errors to the same extent you would three or four years ago." However, Mehta did not agree with an argument many open-source advocates make, that the open nature of their software's underlying source code means more people can stamp out vulnerabilities.

He said: "I don't think it's necessarily true that it's more secure because the source is out there. Not everybody looks at it, and not everybody is qualified to evaluate software in an in-depth level."

Stephen Shankland writes for CNET News.com