[Info-vax] VMS and security

[Stephen Hoffman]

On 2022-11-03 13:42:27 +0000, Simon Clubley said:

> On 2022-11-02, IanD <iloveopenvms at gmail.com> wrote:
>> 
>> I would have thought VMS could leverage it's historical reputation in 
>> security to give it an advantage against Linux at least, but I'm not 
>> convinced it has done enough to ensure it's up to date in the modern 
>> security landscape and it really needs to make sure it has it's ducks 
>> all in a row and then some because any failure in the security arena 
>> could/would end VMS chances of making a comeback
> 
> Unfortunately, the idea of VMS security somehow being comparable to 
> today's expected security standards is utterly delusional.
> 
> Even Linux is _far_ in advance of what VMS offers.

Write a secure app with encrypted data storage, with secure key 
management, with encrypted and authenticated connections checking 
client and server certs, with IPv4 and IPv6 support, integrate the 
results with LDAP, and with the OpenVMS system configuration such that 
the app won't allow access all over if it's breached (e.g. sandboxing). 
If the goals involve writing an app from before Y2K and with older 
security requirements, or incrementally updating security in same, 
sure, OpenVMS does fine. But... have y'all thought about how much is 
missing from the programming concepts manual and the security manual, 
and how much of what does exist for documentation is just scattered 
around in mostly-unrelated OpenVMS and layered product manuals, or 
sometimes in comments in files, or documentation at related websites? 
Connecting using public key authentication using common root certs—the 
Mozilla server root cert list, for instance—is itself more of a project 
than it ever should be.  Can this stuff be done with OpenVMS? Sure. But 
there are myriad ways to screw it up. Too many subtle ways, too.



-- 
Pure Personal Opinion | HoffmanLabs LLC