Marcus quotes a posting:
>>Now, to the Orange Book. The poster focused on features, but that is NOT
>>the focus of the OB. The focus of the OB is ASSURANCE
>[...]
>>However, I will be happy to discuss any supposed "irrelevance" of OB or ITSEC
>>requirements to the commercial world.
Then Marcus says:
> There's no need to -- you already explained (more tersely than
>I did) the problem with the orange book earlier on in your comments.
> It's not about features, it's about assurance.
> Commercial computing is about features (represented as functionality)
> Therefore orange book is irrelevant to commercial computing.
Here at Secure Computing we're betting that you're wrong.
That's why we're in the midst of ISO 9000 certification, why we
produced a policy specification for Sidewinder, why we built a whole
new security mechanism into Unix instead of pasting in some patches,
why we track all bug reports to closure, why we run the system through
a very controlled validation and release cycle, and even why we run
the Challenge.
People may cut corners by buying MS Word, bugs and all, but they'll
pay extra for a security system system that's arguably safer than the
competition. Not everyone will pay extra, but we believe in the long
term customers will buy assured quality. Maybe someday we'll solve the
mystery of making A1 commercial products. Meanwhile we still do the
best we can.
Rick.
smith @
sctc .
com secure computing corporation
|
|
