On Nov 9, 2007 10:53 AM, new_guy  wrote:

quoted text
> If this is off-topic, I apologize. Just tell me and I'll go away ;)

>

> I'm having discussions with a coworkers about moving to OpenBSD for

> Apache/PHP web hosting. Right now, we use various Linux distros. I have no

> problem with that. Linux is cool... but it's takes more time to secure and

> manage. I like the Suhosin (Hardened PHP patch in OpenBSD's PHP package) and

> the fact that Apache is chrooted by default. We even uploaded some php

> exploit code onto a test OpenBSD box (r57shell) to see how well it contained

> the exploit. It worked well. All of these demos and discussions are

> informal. So here's the question: Are there any formal/corporate comparisons

> that demonstrate the enhanced security of OpenBSD when compared to other

> solutions in this space that we can provide to upper management?

Sadly, justifying the obvious through these means is often a requirement.
Here's an approach you might consider. Take a best practice /

standards guide such as from NIST:
http://www.itl.nist.gov/lab/bulletns/bltndec02.htm

http://csrc.nist.gov/publications/drafts/800-44-Version2/Draft-SP800-44v...
And for the points your organization feels are important (like what

you've listed above), map how OpenBSD's implementation and OS approach

addresses those points. You'll find this is a pretty good indicator

and should be well accepted by the folks that matter.
DS