Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trust validation of programmers

From: Aleph One <aleph1 () dfw net>
Date: Fri, 26 Jun 1998 00:14:14 -0500 (CDT)
On Thu, 25 Jun 1998, Stout, Bill wrote:


Is there a certification authority or bonding process for hiring or
contracting programmers who develop security systems?  Something similar
to the Department of Defense background check for the commercial market?

We talk about how important it is to do strong authentication of the
user for trust validation, but not strong authentication of the
programmer or organization who wrote each piece of the security system.
Certificate authorities such as Verisign, GTE, etc, exist for server
websites and applets, user browsers and e-mail, but not the for
contractors or hirees who write sensitive programs (or security source
code itself).  It'd be of some comfort to hear the contracted say 'Yes,
I'm bonded' or better yet, 'Here's my commercial security
certification'.  Though I have no suggestions on how that trust would be
validated by the C.A. in granting a certificate of trust.


CA's bind identity. Northing more. You are better off looking for some
tipe of security certification. The are a couple of security institutes
that have certification programs, although I cannot recall their name of
the top of my head.


Bill Stout


Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Previous By Date Next
Previous By Thread Next

Current thread: