CERT Coordination Center
HomeSite IndexSearchContactFrequently Asked Questions
Vulnerabilities, Incidents, and FixesSecurity Practices and EvaluationsSurvivability Research and AnalysisTraining and Education
 
Options

Advisories

US-CERT Vulnerability Notes Database

Incident Notes

Current Activity

 Related
Tech Tips

AirCERT

Employment Opportunities

 more links
CERT Statistics

Vulnerability Disclosure Policy

CERT Knowledgebase

System Administrator courses

CSIRT courses

Other Sources of Security Information

Channels

 Message
wap.cert.org
Visit wap.cert.org for wireless advisories.

Related Sites
Link to US-CERT
cylab

CERT® Coordination Center

Choosing an Operating System

We receive reports of incidents from sites that use a wide variety of operating systems (OS). Because of operating-system-related difficulties these sites have experienced, we are recommending some things to consider before choosing an operating system.

In-House vs. Outside Tech Support

Consider these things:

  • Do you have in-house expertise to do necessary software maintenance if you're using freely available software?
  • Can you buy a product with vendor-supplied customer support?
  • Do you need to pay a third party for customer support?

Freely-Available vs. Commercial Software

If you have knowledgeable staff, you may choose to use freely available OS versions so that you can maintain or fine tune the product to meet specific requirements. You might have more confidence in the modified OS because you were responsible for making changes or closely involved in the implementation of patches or workarounds. If you know about a vulnerability and understand the problem, you may want to apply fixes immediately to the source code rather than wait for an upgrade or patch to be released through other channels.

If you select freely available OS versions and don't have the resources to maintain software in-house, it's important to know that you could be placing your site at a high risk of compromise. This risk can exist because your site will not be receiving security patches on a regular basis from a vendor (or third party). In cases where intruders are exploiting a vulnerability, operating system vendors may have analyzed the vulnerability and released security patches for their operating systems. On the other hand, sites with freely available OS versions but without the expertise to develop and install patches may remain at risk from the vulnerability.

If you do not have the time or expertise to modify and maintain an operating system in-house, you might choose a commercial vendor product. When you buy a commercial operating system, you can purchase a service contract to provide you with patches, upgrades, and other customer assistance. Alternatively, you could buy third-party service or select products from vendors who implement fixes and make patches publicly available.

Understand Your Needs

When choosing an operating system, there are many things you need to consider. Among these are

  • Availability of source code vs. binaries
  • Availability of technical expertise (internal and external)
  • Maintenance and/or customer support
  • Customer requirements and usability
  • Cost of software, hardware, and technical support staff
Regardless of the choice you make, you should first carefully review and understand the needs of your organization or customer base in terms of resources, cost, and security risk, as well as any site-specific constraints; compare the available products and services to your needs; and then determine what product best matches your needs.

This document is available from: http://www.cert.org/tech_tips/choose_operating_sys.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1999 Carnegie Mellon University.

Revision History
Oct 02, 1997
Feb 12, 1999
 Initial Release
Converted to new web format