Secure Coding mailing list archives

Re: Security Standard Branding & Expectation Checklists

From: Crispin Cowan <crispin () immunix com>
Date: Fri, 09 Jan 2004 20:33:52 +0000


Jared W. Robinson wrote:


On Wed, Jan 07, 2004 at 08:16:04PM -0800, Crispin Cowan wrote:
 


For 6 or 7 digits of money, various labs will certify that your
product complied with those well-established software development
methods, and provides certain mandatory features such as audit
logging.
   

I guess I was hoping for something much less expensive -- 

*Everyone* was hoping for a less expensive process, but finding one that 
is effective has been problematic. Security assurance is a *hard* 
problem. In the general case it reduces to solving Turing's Halting 
Problem, so it is going to be uncomfortable forever.



aimed at the
consumer and small business market. A certification that was mostly
aimed at raising the bar of consumer expectations, cheaply. Maybe
even something that, at it's lowest levels, was self-certification.

The ICSA Labs service that I linked to and you cut out is aimed 
precisely at this market. Costs about $50K or so, depending on a bunch 
of variables.



Perhaps a website could be developed to assist in informal, community
certification. I think I saw something like this at http://lsap.org
(their database doesn't seem to be working at the moment).

http://Sardonix.org is my attempt at a community security certification 
web site. My database is working :) but the silence from community 
members willing to step up and audit code has been deafening.



[security certification] remains problematic, because as someone
observed here today, security is a "negative" property, that the
software will *not* do something nasty when fed unexpected input, and
that is hard to test for.
   


True; but you can measure whether a response process is in place, etc.

True. And I am working on a new form of empirical security evaluation 
based roughly on that notion. But it seems that it will cost about $50K 
worth of labor to execute each evaluation.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/

Current thread:

Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 07)
- Re: Security Standard Branding & Expectation Checklists Brett Hutley (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 08)
  - Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)
    - Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 09)
    - RE: Security Standard Branding & Expectation Checklists David Crocker (Jan 10)
    - RE: Security Standard Branding & Expectation Checklists ljknews (Jan 10)
    - Re: Security Standard Branding & Expectation Checklists Jeff Williams @ Aspect (Jan 11)
  - RE: Security Standard Branding & Expectation Checklists David Crocker (Jan 10)