Re: How secure is software X?

[Mike Hoskins <mhoskins () e2open com>]

David Litchfield wrote:
> Hi Justin,
> > One thing you have to keep in mind is that a lot of things are incredibly
> > variable when dealing with this subject.
[...]
> There are a few things to remember:
[...]

one thing i also believe is that while there will always be a lot of 
variables, there is still value in writing down a standard.  so i guess 
i agree with "both sides" of this discussion.

if something is not in the standard and is deemed valuable, it can be 
amended.  (i think it's obvious such a standard would be a living 
document, like owasp, etc.)  in the meantime, you can still say 
"software X complies with the standard" or "software Y does not comply 
with the standard".  this at least gives you a subjective way (if the 
standard is well written) to compare and contrast products in terms of 
security.

the effort would form an "application security rfc" of sorts -- a given 
product either complies, or it does not.  compliance says something 
about the product's security, but does not say it is "unbreakable". 
just like rfcs, some people will prefer compliant products while others 
won't likely care.  having such a standard would be useful to some of 
us, and the rest shouldn't be any worse off.

i sincerely hope that such a standard will not only come to exist, but 
that it will also be centrally coordinated so as to maximize community 
benefit.  it's much easier to walk through 'the one true standard' than 
it is to compare and contrast a handful of standards.

of course such a standard would have many focus areas, contributors, 
etc.  it's just more valuable if a given standard gets buy-in and 
support rather than software X saying they comply with standard foo 
while software Y touts they comply with standard bar.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/