On Fri, 3 May 2002, Mikael Olsson wrote: > Paul Robertson wrote: > > > > CC is a lot like an ISO9001 certification, where the vendor can > > set the standards they'll be measured against and then get measured > > against them. > > Now watch me do one of my spin-around-and-stab-myself-in-the-back > acts again :)
Must be too much Absolut or something ;) > > Actually, I believe there _is_ some value in EAL 3 and better, given > that, at that level, they start evaluating your ways of doing your > work to a much greater degree. This does ensure _some_ kind of There's _some_ value in ISO900n as well, but I don't think there's as much value there as most people seem to think. I've yet to see a software organization that follows the written procedures/processes and keeps its product competative/patched/functional- but I'm cynical and I've seen a lot of the bottom of the barrel. > quality thinking in the vendor's organization (i.e. you're not just > into happy hacking, where everything falls apart if the local guru > leaves the organization and such.) I'm not sure that ever proved out when the vendor buyout and shuffle stuff happened (which seemed far more common than the single person leaving thing when the US defense contractor scene imploded a few years ago.) I know I found bugs in stuff that was under evaluation at B2 from the end-user standpoint despite all the code review, design review, process documentation, etc. In any case, I think this gets into worrying about the last 2% of the problem- and I'm not sure it's as important as ensuring that contracts cover licensing/implosion and the "regular" company due dilligence that has to be done anyway. I wouldn't pick a manufacturer over just ISO900n certification, and I wouldn't pick a firewall over just $foo certification. I'd use the evaluations as a guideline (the ICSA Labs notes are always interesting reading for both firewalls and IPSec stuff, and they're on the Web for free.) Understanding what the certification/testing represents (and doesn't represent) though is very important. In a world where very smart, very well-known vendors with crypto products have initialization vector issues in shipping products, I think by the time you get to the "I might want one of these" stage, you've pretty much eliminated the people who'd fail EAL3[1]. Given the cost, and given a non-defense product I'm not sure there's not a question about where else that money might have been better spent (like maybe in QA.) Paul [1] Maybe not though. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
