Secure Coding mailing list archives
Re: Security Standard Branding & Expectation Checklists
From: Crispin Cowan <crispin () immunix com>
Date: Thu, 08 Jan 2004 14:49:14 +0000
Jared W. Robinson wrote: The idea would be to put a sticker or a logo on software that met some level of security expectation. Customers could be educated to look for these stickers, and it would hopefully influence their purchasing decisions. This is what ICSA Labs <http://www.trusecure.com/knowledge/icsa/index.shtml> does. For a modest fee (5 digits of money) they will certify a product as being something-or-other secure, based on testing to ensure the product complies with what the vendor says it should do. There could be different levels of certification. The first one or two levels could be introduced to consumers first, and would raise the bar gradually. As the expectations were raised, new, more difficult levels would be introduced. This is what the old Orange Book standard did, and kind of what the Common Criteria does today. For 6 or 7 digits of money, various labs will certify that your product complied with those well-established software development methods, and provides certain mandatory features such as audit logging. None of which prevents you from having a remotely exploitable buffer overflow on day 1 after certification is granted and your product is released. If you've detected a note of cynicism, you'd be correct :) IMHO, methods based certification is broken; it certifies what "should" happen instead of what *does* result. I think ICSA's testing-based certification is more useful than the Common Criteria. But it remains problematic, because as someone observed here today, security is a "negative" property, that the software will *not* do something nasty when fed unexpected input, and that is hard to test for. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/
Current thread:
- Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 07)
- Re: Security Standard Branding & Expectation Checklists Brett Hutley (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 09)
- RE: Security Standard Branding & Expectation Checklists David Crocker (Jan 10)
- RE: Security Standard Branding & Expectation Checklists ljknews (Jan 10)
- Re: Security Standard Branding & Expectation Checklists Jeff Williams @ Aspect (Jan 11)
- Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)