Why don't more commercial operating systems meet the highest security requirements described in the orange book?
The orange book stipulates various security requirements necessary for a standard system. It aids the measurement of different levels of protection and security by use of policies and assurance of security through trust. It facilitates a continuous measurement of the security levels of a system, acts as a guide to the design of security conscious systems and also ensures the effective acquisition of such requirements (Landwehr, 1985).
There are many reasons that lead most commercial operating systems into going against or not meeting the security requirements in the Orange book. First, the very fact that these operating systems are aimed at profit generation is a hindrance to meeting the security requirements stipulated. Most developers will trade off security for faster development hence quick profits and numerous sales. It is also possible that most consumers will go for less secure but cheap operating systems. This stems from the fact that most of the potential customers of commercial operating system developers hold less sensitive data that may not call for extremely high levels of security (Landwehr, 1985).
Time is also a steering force towards neglect of the orange book security requirements by commercial developers. Designing a highly secure system could take as much or even more time as it could be required for development. This is a challenge to the commercial system developers who are out to make profits. Customers who make orders could also give short time limits for complete development and implementation of the systems. Developers then resort to trading off security issues, in most cases, which customers may not be aware about, to build reliability levels and efficiency in the delivery.
Lastly there is the aspect of necessity of some requirements as concerns design and development of operating systems. As mentioned earlier, data held by the users of these systems is not as sensitive as that held say in government databases. Customers of the commercial operating systems may not require complex security levels hence commonly ignored. This stems back to a variation of the user requirements with the stipulations in the Orange book (Landwehr, 1985).
References
Landwehr, C. E. (1985). Determining Security Requirements for Complex Systems with the Orange Book. Ft. Belvoir: Defense Technical Information Center.
