Many governments require certification to the international Common Criteria standard before they're allowed to purchase a specific computing product. SuSE Linux Enterprise Server 8 running on IBM's Intel-based xSeries servers achieved Evaluation Assurance Level 2 (EAL2) of the Common Criteria, the companies are expected to announce at the LinuxWorld Conference and Expo.
"It certainly raises the viability and increases the trust level of Linux in government contracts," IDC analyst Chris Christiansen said. Though commercial buyers don't usually give Common Criteria certification much more than passing notice, "the government market is very large," he said.
Common Criteria certification ensures software meets several security requirements. It also ensures that companies supporting the software meet requirements for documenting security features, handling vulnerabilities and testing products.
However, obtaining the certification is time consuming and expensive. "Unfortunately, only a few very large vendors of hardware and software can afford the certification process," Christiansen said.
While the move is important for Linux, the 12-year-old Unix-like operating system still lags competitors in the certification process. Microsoft's Windows 2000, along with Sun Microsystems' Solaris, IBM's AIX and Hewlett-Packard's HP-UX, have the higher EAL4 certification.
IBM spokesman Clint Roswell said IBM expects to receive EAL3 certification for SuSE Linux by the end of 2003, with EAL4 to come later. Also by the end of the year, IBM's Common Criteria certification for Linux will extend beyond its Intel servers to IBM's other three server lines as well, he said.
Obtaining EAL2 certification typically costs between $400,000 (£248,416) and $500,000, Roswell said.
IBM and SuSE will release "key components of the Common Criteria evaluation" to the Linux development community, the companies said.
Red Hat sells the most widely used version of Linux, a step ahead of No. 2 SuSE. Database giant Oracle is working with Red Hat to obtain Common Criteria EAL2 certification for its product by the end of the year.
One military customer expressed support for the move. "The Common Criteria certification of Linux will be a critical factor as Linux is applied to mission-critical environments," Fritz Schulz of the US Defense Information Systems Agency (DISA), said in a statement.
In a separate announcement on Tuesday, the Free Standards Group is expected to announce that the DISA now requires that Linux meet the FSG's Linux Standard Base specification before it may be used by the US military. The standard will help ensure it's easier to move applications from one version of Linux to another, Schulz said.
IBM said it's working to create a version of SuSE's Linux that complies with another US military requirement, the Common Operating Environment, which is software that shields military computer users from differences between numerous different operating systems.
The security of Linux is "pretty comparable to the security in commercial operating systems," said Neel Mehta a research engineer at Internet Security Systems whose job is to pore through code looking for potential weaknesses. "I think software is becoming more secure, and Linux has followed the same trend. You don't see the simple vulnerabilities or simple coding errors to the same extent you would three or four years ago."
However, Mehta didn't agree with an argument many open-source advocates make, that the open nature of their software's underlying source code means more people can stamp out vulnerabilities.
"I don't think it's necessarily true that it's more secure because the source is out there," Mehta said. "Not everybody looks at it, and not everybody is qualified to evaluate software in an in-depth level."
