Firewall Wizards mailing list archives
Trust validation of programmers
From: "Stout, Bill" <StoutB () pios com>
Date: Thu, 25 Jun 1998 20:28:37 -0400
Is there a certification authority or bonding process for hiring or contracting programmers who develop security systems? Something similar to the Department of Defense background check for the commercial market? We talk about how important it is to do strong authentication of the user for trust validation, but not strong authentication of the programmer or organization who wrote each piece of the security system. Certificate authorities such as Verisign, GTE, etc, exist for server websites and applets, user browsers and e-mail, but not the for contractors or hirees who write sensitive programs (or security source code itself). It'd be of some comfort to hear the contracted say 'Yes, I'm bonded' or better yet, 'Here's my commercial security certification'. Though I have no suggestions on how that trust would be validated by the C.A. in granting a certificate of trust. Programmers experienced with Internet security have to have hacking experience, since they need to know how to test their work, and know historical flaws of similar systems. You may defend your systems from determined hackers one day, then hire in a consultant the next of unknown trust to develop your new security system (you almost always hire strangers, right?). How far the consultant takes his career is unknown. Similarly the CIA/NSA chiefs are concerned about 'treacherous Y2K programmers' (http://cgi.pathfinder.com/netly/article/0,2334,13799,00.html), but at this time I don't see anything more than standard company background checks (calling references) being reasonable or possible. Bill Stout
Current thread:
- Trust validation of programmers Stout, Bill (Jun 25)
- Re: Trust validation of programmers Aleph One (Jun 26)
- <Possible follow-ups>
- Re: Trust validation of programmers Ted Doty (Jun 26)
- Re: Trust validation of programmers tqbf (Jun 28)
- Re: Trust validation of programmers Rick Smith (Jun 30)