Software security standards

Is there an organization that certifies software components for certain security aspects?

For instance, let's say I'm selling an ISAPI filter for IIS and I'd like to give my customers some peace of mind. Can I provide some type of certification that proves my component is hacker proof?

The short answer is no, there isn't.

There are organizations that you can hire that do security reviews of software. For example, Cigital, @Stake, Securify and others will audit and review software. However, there are no standards for how this is done, and there are no certifications for it.

At a larger level, certification for software reliability has been a goal of software engineering for decades, and we're no closer to it now than we were twenty-five years ago.

At an even higher level, there is no way to prove that your software is bug-free. As a matter of fact, it has been mathematically proven that there is no way to prove that your software is bug-free.

Coming back down to Earth, there is a lot you can do to increase the reliability of your software. The first is adjusting your own attitude. As you write the software, ask yourself what could go wrong. What could a devious person slip you that would be wrong? Can they give you a URL that has up-path references? Can they modify elements in a form? What if they hand-construct a POST operation? Look at all the arrays you use, and verify that check bounds on them. Even better, there are packages for C and C++ that have bounds checking on strings and buffer checking. There are also languages like Java, Perl and so on, that put these things into the language.

You can start doing regular code reviews, where people who didn't write the code actually read it. Code reviewing has been proven over the decades to improve quality and actually improve productivity once you're used to doing it. Yet, time and time again, organizations don't review their code because they think it's too much trouble. (This comes back to having a security-minded attitude.)

What is your attitude about bugs? Do you think that bugs are like the weather -- some days it rains? Or do you think that a bug means that you personally made a mistake? Do you think that bugs are things QA finds, or things you find? Software developers who do things as simple as single-stepping through their program in the debugger, produce better programs than those who think that bugs are things you hire QA people to find. Software developers who believe that bugs are personal embarrassments (albeit embarrassments that everyone makes from time to time) produce better software developers who don't care.

There is no software equivalent of Underwriters' Laboratories, or even Good Housekeeping. There's no quality seal of approval that people agree on. There are organizations that will review software and designs, for a price. There are also well-known, little-practiced techniques for producing quality software that your group (even if that group is just you) can follow. The first step is to believe that the quality of the software your group produces reflects on you.

For more information on this topic, check out these resources:
News: The disclosure debate rages
Best Web Links: Law, Public Policy and Standards


This was first published in November 2001

Dig Deeper on Software Development Methodology



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: