Re: Writing Secure code[update]

From: Crispin Cowan (crispinat_private)
Date: Wed Jan 01 2003 - 20:17:57 PST

Next message: charles lindsay: "RE:Writing Secure code[update]"

Previous message: David Wheeler: "Standards for developing secure software"
Next in thread: Jeremy Epstein: "RE: Writing Secure code[update]"
Next in thread: Pavel Kankovsky: "RE:Writing Secure code[update]"
Reply: Jeremy Epstein: "RE: Writing Secure code[update]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

charles lindsay wrote:

>the ISO 9000 series, as I recall, had more to do with documenting a (repeatable) process, and in the best of all worlds, providing a feedback process for improving it.  In many cases, it has merely provided proof that a bad process can be repeated, and well understood.
>
That may be true; I am not very familiar with ISO 9000.

>I had thought the Common Criteria were a standardized measure for evaluating secure systems, without much in the way of guidelines about how to build them.
>
That is not true. The Common Criteria evaluates the security of systems 
largely in terms of how they are built, and additionally with respect to 
what features they provide. For instance, it is a CC requirement that 
all source code be under revision control. This requirement in itself 
effectively makes it near impossible to certify a full Linux 
distribution, because the code base for the hundreds of packages are 
maintained independently.

>The Orange Book probably came closest, but seemed largely unworkable, judging by its breadth of application: I believe only one system was ever certified A1,
>
This is also not true. According to the NSA Evaluated Products List 
<http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html>, two "network 
components" have been evaluated A1, while *zero* operating systems and 
applications have made A1.

> and the most commonly applied level, C2, is so ridiculously trivial that it was even awarded to Windows (albeit NT, not 95).
>
Yeah; C2 pretty much requires that you show up for the meeting, and 
bring a check :-)

>  Personally, I have very little faith in proof of correctness (a baase requirement for A1), as most proofs tended to be larger than the code they were trying to prove.
>
I agree with that.

All of which supports my point: early standardization is a disaster. The 
Orange Book tried to standardize a discipline that is still not well 
understood, resulting in a standard that is overly expensive and underly 
effective, and therefore largely irrelevant to the real world.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"

application/pgp-signature attachment: stored

Next message: charles lindsay: "RE:Writing Secure code[update]"
Previous message: David Wheeler: "Standards for developing secure software"
Next in thread: Jeremy Epstein: "RE: Writing Secure code[update]"
Next in thread: Pavel Kankovsky: "RE:Writing Secure code[update]"
Reply: Jeremy Epstein: "RE: Writing Secure code[update]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:45:48 PST