Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

[andre at operations.net (Andre Gironda)]

On Nov 30, 2007 1:37 PM, Steven M. Christey <coley at linus.mitre.org> wrote:
> > Software vendors will need a 3 tier approach to software security:  Dev
> > training and certification, internal source testing, external
> > independent audit and rating.
>
> I don't think I've seen enough emphasis on this latter item.  A
> sufficiently vibrant set of independent testing organizations that follows
> some established procedures would be one way for customers to get an
> independent guarantee of software's (relative) security.  This in turn
> could put pressure on other vendors to follow suit.

PCI PA-DSS, ISECOM OSSTMM v3, and OWASP Secure Software Contract
Annexes (combined with the OWASP Web Security Certification Framework)
will be available for use in the near-immediate future.  Many other
similar efforts will likely follow.

> The challenges would be defining what those procedures should be,
> maintaining them in a way so that they remain relevant, convincing
> existing research organizations to participate, and handling the problem
> of free (as in beer) software.
>
> A gazillion years ago, John Tan of the L0pht proposed an "Underwriters
> Laboratories" for software, and maybe its time is almost upon us.

I thought this document was more about using FIPS 140-1 to verify
hardware-based cryptographic systems (we now have FIPS 140-2 to do
this for software crypto systems), while providing metrics of how long
it takes to break said crypto via brute-force (in the same way it
takes a safe-cracker to bust a safe open)?  It's also interesting to
note that the FIPS 140-n standards have four levels of verification.

Cheers,
Andre