Security Standard Branding & Expectation Checklists

["Jared W. Robinson" <jwr () xmission com>]

Could a branding campaign be used to promote secure software?

Various people have stated that the reason software isn't more secure is
that consumers don't demand it. Some kind of a consumer-targeted
branding campaign might help.

The idea would be to put a sticker or a logo on software that met some
level of security expectation. Customers could be educated to look for
these stickers, and it would hopefully influence their purchasing
decisions.

There could be different levels of certification. The first one or two
levels could be introduced to consumers first, and would raise the bar
gradually. As the expectations were raised, new, more difficult levels
would be introduced.

I see that handling the security of software falls into three
categories: 1. Prevention, 2. Detection and 3. Response. Most of what we
discuss on this list falls into the first category. I think that
consumers are most concerned about the last category -- response.

Maybe the first (and easiest) level of certification could focus on the
response process. Does the vendor include the ability to update the
software (ala Windows Update)? And does that system use digital
signatures to verify that the authenticity of the downloaded update?

A second level of certification could start to focus on the prevention
category. I'm sure privacy would fit in somewhere too.

I'll stop there with my thoughts. What do you think? 

- Jared

-- 
"It's a well known technology truism that [not] all of the smart people
work for you, and that one of the surest ways to success is to get more
ideas and more work out of people outside your own fences."
- Tim O'Reilly