Secure Coding mailing list archives
Re: Security Standard Branding & Expectation Checklists
From: "Jared W. Robinson" <jwr () xmission com>
Date: Fri, 09 Jan 2004 00:23:03 +0000
On Wed, Jan 07, 2004 at 08:16:04PM -0800, Crispin Cowan wrote:
For 6 or 7 digits of money, various labs will certify that your product complied with those well-established software development methods, and provides certain mandatory features such as audit logging.
I guess I was hoping for something much less expensive -- aimed at the consumer and small business market. A certification that was mostly aimed at raising the bar of consumer expectations, cheaply. Maybe even something that, at it's lowest levels, was self-certification. Perhaps a website could be developed to assist in informal, community certification. I think I saw something like this at http://lsap.org (their database doesn't seem to be working at the moment).
None of which prevents you from having a remotely exploitable buffer overflow on day 1 after certification is granted and your product is released.
Right.
[security certification] remains problematic, because as someone observed here today, security is a "negative" property, that the software will *not* do something nasty when fed unexpected input, and that is hard to test for.
True; but you can measure whether a response process is in place, etc. - Jared
Current thread:
- Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 07)
- Re: Security Standard Branding & Expectation Checklists Brett Hutley (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)
- Re: Security Standard Branding & Expectation Checklists Crispin Cowan (Jan 09)
- RE: Security Standard Branding & Expectation Checklists David Crocker (Jan 10)
- RE: Security Standard Branding & Expectation Checklists ljknews (Jan 10)
- Re: Security Standard Branding & Expectation Checklists Jeff Williams @ Aspect (Jan 11)
- Re: Security Standard Branding & Expectation Checklists Jared W. Robinson (Jan 08)