[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How secure is software X?

To: David Litchfield <davidl@xxxxxxxxxxxxxxx>
Subject: Re: How secure is software X?
From: Tim Newsham <newsham@xxxxxxxx>
Date: Fri, 12 May 2006 08:55:33 -1000 (HST)

At least as secure as Vulnerability Assessment Assurance Level P; or Q or R.Well, that's what I think we should be able to say. What we need is an openstandard, that has been agreed upon by recognized experts, against which theabsence of software security vulnerability can be measured - something whichimproves upon the failings of the Common Criteria.


What about a completely different approach, as chosen by the Sardonix
project?  Keep track of who has tested a particular product and what
they have found.  Keep track of the ability of testers to find things
and the number of things that are missed.  Combine these metrics into
some level of assurance and some security rating....

"5 very good security reviewers have done extensive testing of thisproduct and found a small number of vulnerabilities."

"2 reviewers made a cursory pass over the code and identified a fewissues"

"100 reviewers found many bugs in this product over the last 12 mos, andthe number of vulns seems to be coming down very slowly with each newrevision"

These sort of statements can be made more formal, and each carries a lotof useful information about security and confidence. Of course its onlyas good as participation. I'm not sure the level of information sharingrequired to make this really work is present in the security community.


Tim Newsham
http://www.lava.net/~newsham/

References:
- How secure is software X?
  - From: David Litchfield

Prev by Date: RE: Oracle - the last word
Next by Date: Re: [Reversemode] Microsoft Infotech Storage library Heap Corruption
Previous by thread: Re: How secure is software X?
Next by thread: Re: [Full-disclosure] How secure is software X?
Index(es):
- Date
- Thread