Security Certification - Does It really mean not much?
Posted Nov 13, 2003 9:33 UTC (Thu) by noxxi
Parent article: Security Certification - The Open Source Way
working for a company who did ITSec certification (german security
certification) a few years ago and does it again I must say that
the certification process itself can make a product a lot more secure.
For ITSec Level 3 you have (among other things) to:
- document all tools and interfaces
- document the design and not only document it, but
also explain all the security relevant decisions and
show potential weaknesses
- provide a lot of tests for *fully* testing the certified functionality
If you've done this you
- rethought a lot of design decisions (because you need to
explain it to someone who knows, not some marketing guy)
- have a test suite which you can rerun again and again while
you continue to develop the product, thus making sure that none
of the important stuff breaks
This way you don't get a 100% secure product, but the product is
way better than before.
to post comments)