Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

[coley at linus.mitre.org (Steven M. Christey)]

On Fri, 30 Nov 2007, Shea, Brian A wrote:

> Software vendors will need a 3 tier approach to software security:  Dev
> training and certification, internal source testing, external
> independent audit and rating.

I don't think I've seen enough emphasis on this latter item.  A
sufficiently vibrant set of independent testing organizations that follows
some established procedures would be one way for customers to get an
independent guarantee of software's (relative) security.  This in turn
could put pressure on other vendors to follow suit.

The challenges would be defining what those procedures should be,
maintaining them in a way so that they remain relevant, convincing
existing research organizations to participate, and handling the problem
of free (as in beer) software.

A gazillion years ago, John Tan of the L0pht proposed an "Underwriters
Laboratories" for software, and maybe its time is almost upon us.

- Steve