Software security standards
Is there an organization that certifies software components for certain security aspects?
For instance, let's say I'm selling an ISAPI filter for IIS and I'd like to give my customers some peace of mind. Can I provide some type of certification that proves my component is hacker proof?
The short answer is no, there isn't.
There are organizations that you can hire that do security reviews of
software. For example, Cigital, @Stake, Securify and others will audit and
review software. However, there are no standards for how this is done, and there are no
certifications for it.
At a larger level, certification for software reliability has been a goal
of software engineering for decades, and we're no closer to it now than we
were twenty-five years ago.
At an even higher level, there is no way to prove that your software is
bug-free. As a matter of fact, it has been mathematically proven that there
is no way to prove that your software is bug-free.
Coming back down to Earth, there is a lot you can do to increase the
reliability of your software. The first is adjusting your own attitude. As
you write the software, ask yourself what could go wrong. What could a devious
person slip you that would be wrong? Can they give you a URL that has
up-path references? Can they modify elements in a form? What if they
hand-construct a POST operation? Look at all the arrays you use, and verify
that check bounds on them. Even better, there are packages for C and C++
that have bounds checking on strings and buffer checking. There are also
languages like Java, Perl and so on, that put these things into the
You can start doing regular code reviews, where people who didn't write the
code actually read it. Code reviewing has been proven over the decades to
improve quality and actually improve productivity once you're used to doing
it. Yet, time and time again, organizations don't review their code because
they think it's too much trouble. (This comes back to having a
What is your attitude about bugs? Do you think that bugs are like the
weather -- some days it rains? Or do you think that a bug means that you
personally made a mistake? Do you think that bugs are things QA finds, or
things you find? Software developers who do things as simple as
single-stepping through their program in the debugger, produce better
programs than those who think that bugs are things you hire QA people to
find. Software developers who believe that bugs are personal embarrassments
(albeit embarrassments that everyone makes from time to time) produce
better software developers who don't care.
There is no software equivalent of Underwriters' Laboratories, or even Good
Housekeeping. There's no quality seal of approval that people agree on.
There are organizations that will review software and designs, for a price.
There are also well-known, little-practiced techniques for producing
quality software that your group (even if that group is just you) can
follow. The first step is to believe that the quality of the software your
group produces reflects on you.
For more information on this topic, check out these resources:
News: The disclosure debate rages
Best Web Links: Law, Public Policy and Standards
This was first published in November 2001