Secure Coding mailing list archives
Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading
From: andre at operations.net (Andre Gironda)
Date: Sat, 1 Dec 2007 21:54:05 -0700
On Nov 30, 2007 1:37 PM, Steven M. Christey <coley at linus.mitre.org> wrote:
Software vendors will need a 3 tier approach to software security: Dev training and certification, internal source testing, external independent audit and rating.I don't think I've seen enough emphasis on this latter item. A sufficiently vibrant set of independent testing organizations that follows some established procedures would be one way for customers to get an independent guarantee of software's (relative) security. This in turn could put pressure on other vendors to follow suit.
PCI PA-DSS, ISECOM OSSTMM v3, and OWASP Secure Software Contract Annexes (combined with the OWASP Web Security Certification Framework) will be available for use in the near-immediate future. Many other similar efforts will likely follow.
The challenges would be defining what those procedures should be, maintaining them in a way so that they remain relevant, convincing existing research organizations to participate, and handling the problem of free (as in beer) software. A gazillion years ago, John Tan of the L0pht proposed an "Underwriters Laboratories" for software, and maybe its time is almost upon us.
I thought this document was more about using FIPS 140-1 to verify hardware-based cryptographic systems (we now have FIPS 140-2 to do this for software crypto systems), while providing metrics of how long it takes to break said crypto via brute-force (in the same way it takes a safe-cracker to bust a safe open)? It's also interesting to note that the FIPS 140-n standards have four levels of verification. Cheers, Andre
Current thread:
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Kenneth Van Wyk (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Leichter, Jerry (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading der Mouse (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Leichter, Jerry (Nov 30)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading der Mouse (Nov 30)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Shea, Brian A (Nov 30)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Steven M. Christey (Nov 30)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Andre Gironda (Dec 01)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading der Mouse (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Leichter, Jerry (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Blue Boar (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading silky (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Steven M. Christey (Nov 30)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Andre Gironda (Dec 01)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading silky (Dec 02)