The well-established consensus within the industry is that information Security is something that cannot be sprayed on a system during final stages of its development, it has to be built-in from the beginning. Let's stop for a second, and take a closer look at what does this actually mean in practice.
A common wisdom from experienced security professionals suggests, that poor security architecture and design may result in delivery of fundamentally flawed systems that are broken beyond repair from information security viewpoint. Fortunately, many projects out there can still become success stories by prudent application of post-development common sense, such as
- installing a firewall,
- switching to TLS,
- deploying an intrusion detection system, and
- applying good operational practices such as timely application of security patches.
From pure software engineering viewpoint this kind of operative measures can arguably be viewed as spraying the security on a system after the development, merely the golden process of hardening any production systems about to go live.
With introduction of ICE Linux there will be one more robust tool available for the operations staff to spray some powerful security magic on any systems based on Linux virtualization containers. Fundamentally, ICE Linux can be viewed as a powerful tool of disruptive strength for hardening mission-critical virtual machine deployments. With its strong integrity protection foundation no casual remote execution - privilege escalation technique will work as expected, dramatically slowing down the hackers due to required manual analysis work, often directing them towards easier exploitation targets.
Even when equipped with interactive remote shell with full administrative privileges the hackers will be struggling to even perform naive tasks, such as viewing plaintext files from the compromised system. After all, this is precisely the basic premise for eventual ICE Linux security audits by independent penetration testing labs.
Happy hacking.
