SuSE Linux and IBM recently received the Evaluation Assurance Level 2+ (EAL2+) security certification, which is a security-based rating that the International Standards Organization (ISO) assigns under its ISO 15408 standard. ISO gave the rating to SuSE Linux Enterprise Server (SLES) 8 running on IBM's eServer xSeries hardware.
The EAL2+ rating is the second level of a seven-tier rating system, in which EAL7 is the highest rating that companies can obtain under the Common Criteria for Information Technology Security Evaluation (CCITSE). Last year, Microsoft Windows 2000 (with SP3 and the Q326886 hotfix installed) received the EAL4+ rating. The tests were performed with Windows 2000 running on Compaq Proliant, Dell Optiplex and PE hardware with Intel x86 processors. The EAL4 rating is held by dozens of other products, including operating systems such as Sun Solaris, Trusted Irix, AIX, as well as Oracle database products.
A spokesperson for SuSE said that, "Under Common Criteria, products are evaluated against strict standards for various features, such as the development environment, security functionality, the handling of security vulnerabilities, security-related documentation, and product testing. In certifying SLES 8 on IBM xSeries, atsec information security GmbH evaluated how SuSE Linux develops, tests, and maintains its products, as well as assessing the processes in place at the company for handling security issues in its software. IBM and SuSE have committed to release key components of the Common Criteria evaluation to the CCeLinux Consortium and Linux development community, by the end of the month. In addition, IBM and SuSE will continue to work with the open source development community to actively enhance Linux security to make Linux even more secure than it is today."
SuSE and IBM also announced that they'll now seek the EAL3+ rating, which they expect to achieve later this year. The companies also expect to earn the Common Operating Environment (COE) rating later this year, which is a US government standard used to verify the look-and-feel and functionality of a computing environment when joined with the government's customized code.
IBM Senior Vice President of Technology and Manufacturing Nicholas Donofrio said, "With this announcement, we continue to build upon our commitment to delivering Common Criteria certification across the IBM eServer platforms. Most importantly, the Common Criteria certification further validates the security and quality of open source software, not only for Global Government, but for other industries with critical security requirements."
"SuSE is the world's only open source operating system manufacturer which has technically demonstrated Common Criteria proficiency that can control and minimize security risks through a comprehensive quality assurance process," said SuSE Linux CEO Richard Seibt. "The Common Criteria evaluation marks yet another first for SuSE, and will further reassure companies of the high quality and security of the SuSE Linux Enterprise Server."