Re: Security Standard Branding & Expectation Checklists

[Crispin Cowan <crispin () immunix com>]

Jared W. Robinson wrote:


The idea would be to put a sticker or a logo on software that met some
level of security expectation. Customers could be educated to look for
these stickers, and it would hopefully influence their purchasing
decisions.

This is what ICSA Labs 
<http://www.trusecure.com/knowledge/icsa/index.shtml> does. For a modest 
fee (5 digits of money) they will certify a product as being 
something-or-other secure, based on testing to ensure the product 
complies with what the vendor says it should do.



There could be different levels of certification. The first one or two
levels could be introduced to consumers first, and would raise the bar
gradually. As the expectations were raised, new, more difficult levels
would be introduced.

This is what the old Orange Book standard did, and kind of what the 
Common Criteria does today. For 6 or 7 digits of money, various labs 
will certify that your product complied with those well-established 
software development methods, and provides certain mandatory features 
such as audit logging. None of which prevents you from having a remotely 
exploitable buffer overflow on day 1 after certification is granted and 
your product is released.


If you've detected a note of cynicism, you'd be correct :) IMHO, methods 
based certification is broken; it certifies what "should" happen instead 
of what *does* result. I think ICSA's testing-based certification is 
more useful than the Common Criteria. But it remains problematic, 
because as someone observed here today, security is a "negative" 
property, that the software will *not* do something nasty when fed 
unexpected input, and that is hard to test for.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/