|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Publicity] [blog post draft] Security vs features
We've just released a rather exciting batch of Xen security advisories. There's <a href="https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt";>grumbling</a> in some quarters that we're not taking security seriously. I have a longstanding interest in computer security. Nowadays I am a member of the Xen Project Security Team (the team behind security@xenproject, which drafts the advisories and coordinates the response). But this is going to be a personal opinion. Of course Invisible Things are completely right that security isn't taken seriously enough. The general state of computer security in almost all systems is terrible. The reason for this is quite simple: we all put up with it. We, collectively, choose convenience and functionality: both when we decide which software to run for ourselves, and when we decide what contributions to make to the projects we care about. That's not to say that the many of us involved with the Xen Project aren't working to improve matters. The first part of improving anything is to know what the real situation is. Unlike almost every other hypervisor, Xen <a href="http://xenbits.xen.org/xsa/";>properly discloses</a>, via an advisory, every vulnerability discovered in supported configurations. Security bugs are bugs, and over the last few years Xen's code review process has become a lot more rigorous. As a result, the quality of code being newly introduced into Xen has improved a lot. For researchers developing new analysis techniques, Xen is a prime target. A significant proportion of the reports to security@xenproject are the result of applying new scanning techniques to our codebase. So our existing code is being audited, with a focus on the areas and techniques likely to discover the most troublesome bugs. The difference in approach to disclosure makes it difficult to compare the security bug density of competing projects. When I worked for a security hardware vendor I was constantly under pressure to explain why we needed to do a formal advisory for our bugs. That is what security-conscious users expect, but our competitors' salesfolk would point to our advisories and say that our products were full of bugs. Their product had no publicly disclosed security bugs, so they would tell naive customers that their product had no bugs. I do think Xen probably has <a href="http://xenbits.xen.org/people/iwj/2015/fosdem-security/";>fewer critical security bugs</a> than other hypervisors. It's the best available platform for building high security systems. But that doesn't mean Xen is good enough. Ultimately, of course, a Free Software project like Xen is what the whole community makes it. In the project as a whole we get a lot more submissions of new functionality than we get submissions aimed at improving the security. So personally I very much welcome the contributions made by security-focused contributors - even if that includes criticism. _______________________________________________ Publicity mailing list Publicity@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |