Trust validation of programmers

["Stout, Bill" <StoutB () pios com>]

Is there a certification authority or bonding process for hiring or
contracting programmers who develop security systems?  Something similar
to the Department of Defense background check for the commercial market?

We talk about how important it is to do strong authentication of the
user for trust validation, but not strong authentication of the
programmer or organization who wrote each piece of the security system.
Certificate authorities such as Verisign, GTE, etc, exist for server
websites and applets, user browsers and e-mail, but not the for
contractors or hirees who write sensitive programs (or security source
code itself).  It'd be of some comfort to hear the contracted say 'Yes,
I'm bonded' or better yet, 'Here's my commercial security
certification'.  Though I have no suggestions on how that trust would be
validated by the C.A. in granting a certificate of trust.

Programmers experienced with Internet security have to have hacking
experience, since they need to know how to test their work, and know
historical flaws of similar systems.  You may defend your systems from
determined hackers one day, then hire in a consultant the next of
unknown trust to develop your new security system (you almost always
hire strangers, right?).  How far the consultant takes his career is
unknown.

Similarly the CIA/NSA chiefs are concerned about 'treacherous Y2K
programmers'
(http://cgi.pathfinder.com/netly/article/0,2334,13799,00.html), but at
this time I don't see anything more than standard company background
checks (calling references) being reasonable or possible.

Bill Stout