David Litchfield wrote:
Hi Justin,
One thing you have to keep in mind is that a lot of things are incredibly
variable when dealing with this subject.
[...]
There are a few things to remember:
[...]
one thing i also believe is that while there will always be a lot of
variables, there is still value in writing down a standard. so i guess
i agree with "both sides" of this discussion.
if something is not in the standard and is deemed valuable, it can be
amended. (i think it's obvious such a standard would be a living
document, like owasp, etc.) in the meantime, you can still say
"software X complies with the standard" or "software Y does not comply
with the standard". this at least gives you a subjective way (if the
standard is well written) to compare and contrast products in terms of
security.
the effort would form an "application security rfc" of sorts -- a given
product either complies, or it does not. compliance says something
about the product's security, but does not say it is "unbreakable".
just like rfcs, some people will prefer compliant products while others
won't likely care. having such a standard would be useful to some of
us, and the rest shouldn't be any worse off.
i sincerely hope that such a standard will not only come to exist, but
that it will also be centrally coordinated so as to maximize community
benefit. it's much easier to walk through 'the one true standard' than
it is to compare and contrast a handful of standards.
of course such a standard would have many focus areas, contributors,
etc. it's just more valuable if a given standard gets buy-in and
support rather than software X saying they comply with standard foo
while software Y touts they comply with standard bar.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
