This was a talk I did at the International Conference ITTE 2011 - Cyber Security and Defense in Prague - http://www.afcea.cz/ Originally a colleague, Richard Morrell, was to give this talk and my slides are based on his but heavily modified. The audience was a military audience who were at the conference to discuss Cyber Security.

1. Open Source and Security:
Engineering Security by Design
Jeremy Brown
Manager, Solution Architects
Red Hat
December 2011

2. Overview
What has Open Source got to do with Security?
Red Hat – Enforcing Security by Design
Re-inventing the engagement model
Virtualisation and mobility – Cloudforms

3. What has Open Source to do with security?
Security is fundamental and needs the scientific approach of peer
review
If you translate the scientific approach of peer review to software,
the only way to do it is to be Open Source
If you use Solaris, AIX, HP UX, SCO or SCADA you need
to understand that OpenSource is the feeder for your world
93% of all major internet traffic moves using OpenSource
derived architecture, predominantly on Linux, enterprises
secured by Red Hat account for almost 70% of all workloads
87% of all Clouds run on OpenSource, Amazon AWS,
Rackspace, Google, Facebook, Yahoo etc (IDC, Forrester data)

4. Sunk by Windows NT
http://www.wired.com/science/discoveries/news/1998/07/13987

5. Security in Depth – Open Source evolution
The OpenSource community historically with it's release early,
release often / peer review / fast fix history is traditionally the
most proven security release model in computing.
If you are concerned about how your platforms evolve you need
to have engagement with Red Hat – sooner rather than later
Security is a LOT more than CERT advisories and version
control – what risk your data and reputation ?

6. Red Hat – Enforcing Security By Design
We employ 70% of all of the contributors to the mainstream
Linux kernel projects / technologies.
SELinux (NIST adopted), sVirt, SPICE, Gluster, Apache,
LibVirt, KVM – all Red Hat led projects by staff on our payroll
Linux technologies empower DAX, NYSE, NEXT, FTSE
Linux in Defence is already in use in NATO, US, Australia
Ever increasing government adoption of certified Linux
partnering with Red Hat in supported programmes

7. Red Hat – Security Certifications and
Accreditations
Red Hat Enterprise Linux is the most certified operating
system available today.
RHEL has passed the Common Criteria process 13 times on four
different hardware platforms.
Red Hat Enterprise Linux 5 has even received Common Criteria
certification at Enterprise Assurance Level 4 (EAL 4+) under the
Controlled Access Protection Profile (CAPP), Label Security
Protection Profile (LSPP) and the Role-Based Access Control
Protection Profile (RBACPP), providing a level of security and a
feature set that was previously unheard-of from a mainstream
operating system.
JBoss Enterprise Application Platform is Common Criteria certified
at EAL 2+.

8. Red Hat – Reacting to Security Threat
Fourteen year track record in CERT advisory publication and
patch creation.
Industry leading reaction speed to patch creation, testing,
documentation and push not just to our supported customer
subscription base but to the entire community (which will
appear often months later in Oracle Linux, SuSE, Ubuntu,
and AIX 5.x).
Acknowledged by US Gov, NIST, Symantec & CERT as
the most prolific security patching and release of any
software vendor including Microsoft.

9. Red Hat – Reacting to Security Threat
Source: http://www.awe.com/mark/blog/20110520.html

10. Red Hat – Security in Depth - Realtime
Microsoft time to patch release on ave 14-17 days for minor
system security releases, often longer, 9-11 days for major
system vulnerabilities in cycle – rarely sub 7 days for a patch
Red Hat average time to release a patch is one day, often
the release of a documented advisory and the release of both
fix AND source to customer and the wider community is less
than 18-24 hours post discovery. Sometimes quicker.
This is part of the Red Hat commitment to security and
our stance on reputation protection and end user value
for our subscription customers across the board.

11. Virtualisation / Mobility – new threats
Cloud – new security audit / accreditation / threat fabric / GRC
Misunderstood / non defined audit model for vendors
Risk of vendor non compliance / governance control
Mobility of data and application – what can we migrate ?
Understanding the hidden costs of Cloud aligned to security
Vendor selection process – involving Red Hat at Day One
Understanding security within cloud application lifecycle

12. Virtualisation Vulnerabilities
IBM X-Force 2010 Mid-Year Trend and Risk Report
ftp://public.dhe.ibm.com/common/ssi/ecm/en/wgl03003usen/WGL03003USEN.PDF

13. Engagement Model
Are you a consumer of technology or do you see yourself as
a thought leader / decision maker in platform evolution ?
Understanding how / when to engage – event or vendor driven ?
Picturing risk and building threat fabric models – modelling risk
Protecting core platforms from zero day attack and exploit
Re-educating sovereign governments around accreditation
and empowering the future of your IT ownership
Reducing core implementation costs / protecting platforms/data
Delivering the ability to protect at sovereign territory level with
confidence and with backup from Red Hat globally and locally

14. Cloud introduces new management challenges

15. Moving ahead – next steps
We are already engaged with Governments and Agency’s
around the world.
We are MORE than a Linux OS provider!! We are an Open
Source company and Security is at the heart of what we do
Red Hat are part of the evolution of where you are already going
How can we assist you ? Accreditation / Applications / Ambition
Security of platforms and architecture – Red Hat should be part
of your business as usual process – we're here to help you
Engage with your local Red Hat EMEA organisation

16. Thanks for listening
Questions? - jeremy@redhat.com