OpenBSD has a reputation for being super secure but are there any big organizations that actually use it for security critical applications? A quick search shows outdated or non-related results.
I've seen it used before commercial security/networking appliances got "good" (generally pre-2010ish), but I think its use has diminished. I was a huge OpenBSD user back then as the networking (routing/firewalling/etc) was so simple AND powerful. I stopped when screenOS and later Juniper matured to the point where updates were just uploading firmware and hardware upgrades were just dumping the old configs in.
I knew it was deployed at a few non-tech oriented fortune 500 companies (eg not banks or tech firms) as last as 2016, but I've been out of that market since.
It's like a scene from some movie, there's a hacker in a dark room, connects to some machine deep inside of mega corp and the login prompt comes on screen...
Connected to 123.4.002.312
Welcome to OpenBSD 6.2!
login:
Hacker: Dammit, it's an OpenBSD system. We'll never get in!
OpenBSD is secure in the default install; it's just that their default install has basically had everything turned off since forever.
Mind you, that was a great improvement over things like Windows NT, but "this is super secure as long as you don't do anything with it" is not as incredibly useful as it sounds like at first.
I like having to install the things I really want, which gives me a chance to consider the security implications of them, instead of having many things pre-installed and I don't know what the total risks are. And nothing else I know of has gone since ~1996 with only 2 of the worst kind of security holes (i.e., remote exploit of something I didn't even need, but was installed by default).
In the base install are many useful things (including a web server IIRC, though the port is not exposed by default), and those are audited and have that excellent track record.
Then when you install extra things, they are usually limited by what user they run as, and usually have pledge/unveil run (limiting access to predetermined/approved syscalls and parts of the file system) so they can't break other things if compromised.
I have read that many security innovations [1] get implemented in OpenBSD soon, like W^X [2]. But I don't know enough about OpenBSD and I would like to hear as well if any organization uses it for mission critical applications.
Given the world runs on Linux servers, its pretty obvious that is probably the most secure.
Outside black boxes like M$ and Apple, FOSS OS level seems quite secure. How often do you see Linux malware caused by OS in the wild? Sure you install wordpress and never update it and get a cryptominer installed, but its not like anyone is pinging a server with a picture and an overflow error is causing a Pegasus exploit.
Actually it makes their point. Linux is super widely used, meaning it has millions of eyes on its codebase and it's a very high value target for both attackers and security researchers. OpenBSD is just a LOT less used, meaning that there might be latent security problems that no one bothered to uncover. It's very easy to have less CVEs when you are used less, that's why I have some doubt about the "secure" reputation it has.
High quality code reduces instances of vulnerabilities, which is great. But code vulnerabilities are only one of the many factors in assessing security.
To be considered a secure operating system, you need to have more mechanisms in place to protect against various threats, and the OBSD developers actively resist that. I'm familiar with their innovations and solutions, and I think they fall far short.
