Re: Security Standard Branding & Expectation Checklists

["Jared W. Robinson" <jwr () xmission com>]

On Wed, Jan 07, 2004 at 08:16:04PM -0800, Crispin Cowan wrote:
> For 6 or 7 digits of money, various labs will certify that your
> product complied with those well-established software development
> methods, and provides certain mandatory features such as audit
> logging.

I guess I was hoping for something much less expensive -- aimed at the
consumer and small business market. A certification that was mostly
aimed at raising the bar of consumer expectations, cheaply. Maybe
even something that, at it's lowest levels, was self-certification.

Perhaps a website could be developed to assist in informal, community
certification. I think I saw something like this at http://lsap.org
(their database doesn't seem to be working at the moment).

> None of which prevents you from having a remotely exploitable buffer
> overflow on day 1 after certification is granted and your product is
> released.

Right.

> [security certification] remains problematic, because as someone
> observed here today, security is a "negative" property, that the
> software will *not* do something nasty when fed unexpected input, and
> that is hard to test for.

True; but you can measure whether a response process is in place, etc.

- Jared