On Fri, 30 Nov 2007, Shea, Brian A wrote: > Software vendors will need a 3 tier approach to software security: Dev > training and certification, internal source testing, external > independent audit and rating.
I don't think I've seen enough emphasis on this latter item. A sufficiently vibrant set of independent testing organizations that follows some established procedures would be one way for customers to get an independent guarantee of software's (relative) security. This in turn could put pressure on other vendors to follow suit. The challenges would be defining what those procedures should be, maintaining them in a way so that they remain relevant, convincing existing research organizations to participate, and handling the problem of free (as in beer) software. A gazillion years ago, John Tan of the L0pht proposed an "Underwriters Laboratories" for software, and maybe its time is almost upon us. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________