On 11/30/2010 10:42 AM, Lamar Owen wrote:
It boils down to balancing 'it breaks my app that I can't or won't fix' against 'you've been pwned!'
Actually, it boils down to 'what causes more total costs to the business'. Right now, in my experience, that is SELinux. Break ins to my servers are extremely rare (one machine out of several dozen internet exposed machines in 13 years). SELinux randomly taking out some aspect of operations is fairly frequent in comparison (several incidents on just the handful of machines I have that it was left active on).
Security in not an end unto itself. It exists to support the business making money. If a cost saving measure is costing the business more than it is saving it, it is *not* a good idea no matter how technically superior it is.
This in a very real sense is similar to the 'how much resources should measures to prevent shoplifting be given' in a retail store. If the anti-shoplifting measures are costing *more* than the shoplifting you are preventing - you have lost sight of the actual reason for anti-shoplifting measures in the first place.