Race Is On For Secure Linux

Competitors are lining up in the race to deliver a version of the Linux open-source operating system that will be more secure than any of its predecessors but manageable and affordable enough to garner widespread acceptance. Linux developer MandrakeSoft SA and a consortium of European software makers have entered the market, as has Trusted Computer Solutions Inc., a maker of software to securely transfer sensitive data.

Funded by the French Ministry of Defense via a three-year, $8.6 million contract, MandrakeSoft, along with system and software developers Bertin Technologies Group, Jaluna, and Surlog, plans to develop a Linux-based operating system that meets Evaluation Assurance Level 5 of the Common Criteria, known by the designation CC-EAL5. Oppida, a service provider accredited by the French National Security Agency, will evaluate the operating system against the international Common Criteria standard for IT security.

Trusted Computer Solutions plans to release a test version of its Trusted Linux operating system by the end of this year and have it on the market early next year. It began developing a more-secure version of Linux to run underneath its SecureOffice data-sharing apps and expects TCS Trusted Linux will be certified at CC-EAL4.

Analysts caution against blindly believing that security designations will translate into a certain level of security. EAL indicates the rigor of the evaluation process rather than the actual security capabilities of the system evaluated, Gartner research director Ant Allan wrote in a July research paper about Linux security. What's more important is for users to know which areas of the operating system were evaluated for certification.

"CC certification cannot guarantee that any Linux [distribution] will be free of flaws," Allan wrote. "Bugs and patches are inevitable." Allan also noted that earlier this year, SuSE Linux Enterprise Server 8 with Service Pack 3 was awarded EAL-3+ certification under the Controlled Access Protection Profile.