Much of the information security profession discusses how
software development must include security and each phase of development
process. But that is not something that is obviously being implemented in
software security today. So the question has come whether or not there needs to
be some level of legal regulation that governs the development of certain
software systems and ensures compliance with security practices.
The government regulation is not the answer. The answer just
may be the advent of an independent certification capability that can audit software
development practices and the resultant products and certify them as compliant
with some kind of security standard. The software developers would be able to
demonstrate the security in the product through the certification audit, and
those organizations that use the software can demonstrate that too. This gives the market something that is
missing today; information for consumers on the degree of security that has
gone into the software that organizations use to protect their personal and
private information.
The concept is not novel; the auto industry thrives on the
receipt of awards from Motor Trend, JD Power Associates recognizes aspects of
other industries for excellence in certain areas of performance, and in a
smaller scope, this kind of certification exists with SSAE-16
certifications.
Would this kind of a capability work? Would it drive improvement? Would consumers react to certifications and
drive business to those organizations that have such certifications? Is this a better solution than government
regulation?
No comments:
Post a Comment