On Fri, 30 Nov 2007, Shea, Brian A wrote:

> Software vendors will need a 3 tier approach to software security:  Dev
> training and certification, internal source testing, external
> independent audit and rating.

I don't think I've seen enough emphasis on this latter item.  A
sufficiently vibrant set of independent testing organizations that follows
some established procedures would be one way for customers to get an
independent guarantee of software's (relative) security.  This in turn
could put pressure on other vendors to follow suit.

The challenges would be defining what those procedures should be,
maintaining them in a way so that they remain relevant, convincing
existing research organizations to participate, and handling the problem
of free (as in beer) software.

A gazillion years ago, John Tan of the L0pht proposed an "Underwriters
Laboratories" for software, and maybe its time is almost upon us.

- Steve
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to