Secure Coding mailing list archives
Re: Security Standard Branding & Expectation Checklists
From: Crispin Cowan <crispin () immunix com>
Date: Fri, 09 Jan 2004 20:33:52 +0000
Jared W. Robinson wrote: On Wed, Jan 07, 2004 at 08:16:04PM -0800, Crispin Cowan wrote: For 6 or 7 digits of money, various labs will certify that your product complied with those well-established software development methods, and provides certain mandatory features such as audit logging. I guess I was hoping for something much less expensive -- *Everyone* was hoping for a less expensive process, but finding one that is effective has been problematic. Security assurance is a *hard* problem. In the general case it reduces to solving Turing's Halting Problem, so it is going to be uncomfortable forever. aimed at the consumer and small business market. A certification that was mostly aimed at raising the bar of consumer expectations, cheaply. Maybe even something that, at it's lowest levels, was self-certification. The ICSA Labs service that I linked to and you cut out is aimed precisely at this market. Costs about $50K or so, depending on a bunch of variables. Perhaps a website could be developed to assist in informal, community certification. I think I saw something like this at http://lsap.org (their database doesn't seem to be working at the moment). http://Sardonix.org is my attempt at a community security certification web site. My database is working :) but the silence from community members willing to step up and audit code has been deafening. [security certification] remains problematic, because as someone observed here today, security is a "negative" property, that the software will *not* do something nasty when fed unexpected input, and that is hard to test for. True; but you can measure whether a response process is in place, etc. True. And I am working on a new form of empirical security evaluation based roughly on that notion. But it seems that it will cost about $50K worth of labor to execute each evaluation. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/
Current thread:
- Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 07)
- Re: Security Standard Branding & Expectation Checklists Brett Hutley (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 09)
- RE: Security Standard Branding & Expectation Checklists David Crocker (Jan 10)
- RE: Security Standard Branding & Expectation Checklists ljknews (Jan 10)
- Re: Security Standard Branding & Expectation Checklists Jeff Williams @ Aspect (Jan 11)
- Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)