Oracle, Red Hat Team On Security Evaluation

Common Criteria is an internationally accepted standard for evaluating the security of IT products. A U.S. policy that took effect last summer requires federal agencies associated with national security to buy only independently evaluated products, said Mary Ann Davidson, chief security officer at Oracle.

"We had many customers approach us and ask if we'd help foster an evaluation of the Linux operating system," she said.

The companies will make the evaluation available to the open-source Linux community, she said.

"The intent is a more secure Linux for all," Davidson said.

Redwood Shores-based Oracle and Raleigh, N.C.-based Red Hat are submitting the Red Hat Linux Advanced Server for a Common Criteria evaluation at Evaluation Assurance (EAL) 2 and plan to bring Linux to the higher EAL 4 level in the future.

While the independent security evaluation of Linux is very important for government agencies, it also is key in the private enterprise, where security is becoming a growing concern, Oracle executives said.

"We see it as an opportunity for Oracle to demonstrate leadership in the Linux space," said Dave Dargo, vice president of the Linux program at the vendor.

The EAL 2 evaluation likely will be complete by the end of this year or early next year, Davidson said.

An Oracle spokeswoman said there was no set amount for how much Oracle and Red Hat will spend on the evaluation, but added that such evaluations typically cost between $500,000 and $1 million.

Last fall, Microsoft Windows 2000 earned a Common Criteria certification for EAL 4.