On Nov 30, 2007 1:37 PM, Steven M. Christey <[EMAIL PROTECTED]> wrote: > > Software vendors will need a 3 tier approach to software security: Dev > > training and certification, internal source testing, external > > independent audit and rating. > > I don't think I've seen enough emphasis on this latter item. A > sufficiently vibrant set of independent testing organizations that follows > some established procedures would be one way for customers to get an > independent guarantee of software's (relative) security. This in turn > could put pressure on other vendors to follow suit.
PCI PA-DSS, ISECOM OSSTMM v3, and OWASP Secure Software Contract Annexes (combined with the OWASP Web Security Certification Framework) will be available for use in the near-immediate future. Many other similar efforts will likely follow. > The challenges would be defining what those procedures should be, > maintaining them in a way so that they remain relevant, convincing > existing research organizations to participate, and handling the problem > of free (as in beer) software. > > A gazillion years ago, John Tan of the L0pht proposed an "Underwriters > Laboratories" for software, and maybe its time is almost upon us. I thought this document was more about using FIPS 140-1 to verify hardware-based cryptographic systems (we now have FIPS 140-2 to do this for software crypto systems), while providing metrics of how long it takes to break said crypto via brute-force (in the same way it takes a safe-cracker to bust a safe open)? It's also interesting to note that the FIPS 140-n standards have four levels of verification. Cheers, Andre _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
