On Nov 9, 2007 10:53 AM, new_guy <[EMAIL PROTECTED]> wrote: > If this is off-topic, I apologize. Just tell me and I'll go away ;) > > I'm having discussions with a coworkers about moving to OpenBSD for > Apache/PHP web hosting. Right now, we use various Linux distros. I have no > problem with that. Linux is cool... but it's takes more time to secure and > manage. I like the Suhosin (Hardened PHP patch in OpenBSD's PHP package) and > the fact that Apache is chrooted by default. We even uploaded some php > exploit code onto a test OpenBSD box (r57shell) to see how well it contained > the exploit. It worked well. All of these demos and discussions are > informal. So here's the question: Are there any formal/corporate comparisons > that demonstrate the enhanced security of OpenBSD when compared to other > solutions in this space that we can provide to upper management?
Sadly, justifying the obvious through these means is often a requirement. Here's an approach you might consider. Take a best practice / standards guide such as from NIST: http://www.itl.nist.gov/lab/bulletns/bltndec02.htm http://csrc.nist.gov/publications/drafts/800-44-Version2/Draft-SP800-44v2.pdf And for the points your organization feels are important (like what you've listed above), map how OpenBSD's implementation and OS approach addresses those points. You'll find this is a pretty good indicator and should be well accepted by the folks that matter. DS
