Firewall Wizards mailing list archives
Re: Trust validation of programmers
From: Aleph One <aleph1 () dfw net>
Date: Fri, 26 Jun 1998 00:14:14 -0500 (CDT)
On Thu, 25 Jun 1998, Stout, Bill wrote:
Is there a certification authority or bonding process for hiring or contracting programmers who develop security systems? Something similar to the Department of Defense background check for the commercial market? We talk about how important it is to do strong authentication of the user for trust validation, but not strong authentication of the programmer or organization who wrote each piece of the security system. Certificate authorities such as Verisign, GTE, etc, exist for server websites and applets, user browsers and e-mail, but not the for contractors or hirees who write sensitive programs (or security source code itself). It'd be of some comfort to hear the contracted say 'Yes, I'm bonded' or better yet, 'Here's my commercial security certification'. Though I have no suggestions on how that trust would be validated by the C.A. in granting a certificate of trust.
CA's bind identity. Northing more. You are better off looking for some tipe of security certification. The are a couple of security institutes that have certification programs, although I cannot recall their name of the top of my head.
Bill Stout
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Trust validation of programmers Stout, Bill (Jun 25)
- Re: Trust validation of programmers Aleph One (Jun 26)
- <Possible follow-ups>
- Re: Trust validation of programmers Ted Doty (Jun 26)
- Re: Trust validation of programmers tqbf (Jun 28)
- Re: Trust validation of programmers Rick Smith (Jun 30)