Security Certifications

[MrGamm]

I have recently opened a software as a service business. I spoke to somebody the other day about having to have my software audited by a security specialist before it would be taken seriously and I was asked to provide an installation of the source code on their server.

I find this rather hard to believe that a professional security audit should ever even have to look at the internal functions of the software at all.

I mean... should a website be deemed secure by a code audit? My code is close to ten megabytes. Who in thier right mind would audit such a thing manually. There must be some sort of Xenu style program which can certify your software?

In any event. I do believe that such things must exist and I am curious at to what types there are, what levels of certification... basically any information would be useful...

James
SaaS for small business

[wige]

To give you a practical example, every application on my server is "known secure." These applications are used by thousands, if not millions, of other companies, and when a vulnerability is discovered, I will be notified by CERN or another source of that vulnerability before an attack is likely. If the application is less well known or if it is custom built, I would need some way to verify that the application is secure. This would mean that I have to either trust the maker of the application to produce a secure program, or trust a third party that has evaluated the program. If I am unable to get that level of trust, I won't use the program. A network can only be as secure as the least secure component, and unless I can trust every component, it won't be a part of my network.

Bear in mind, there really is no such thing as an absolutely secure application. As soon as you fix every vulnerability in a piece of software, new issues will be found. From a practical standpoint, there are two considerations when evaluating a piece of software.

The first is that the application has no "obvious" vulnerabilities. There are security issues inherent in different programming systems, application types, etc. that are common in applications that are not built with a focus on security. Buffer overflows, denial of resource, permission elevation, etc. can all be common issues because the language the software is created in does not inherently protect against exploit. The only way to test against this is to perform a security audit. If I were considering your software, it comes down to reputation. I've never heard of your company, so I don't trust your software. So then the question becomes, who vouches for your software (having evaluated and certified it as secure) and can I trust them?

The second consideration is how you handle new vulnerabilities to your software. The more common an application becomes, the more of a target it is to attackers. What measures do you have in place to detect new vulnerabilities, how quickly will there be a patch, etc. This, again, comes back to how well I can trust your company to maintain the application.

Granted, this is assuming that the software you are creating is aimed at a web server or a corporate network. There is a different standard for trust for home and business applications. This usually involves checking the software to ensure that it does not contain spyware or viruses, or allow the host computer to be compromised. This is typically covered in a basic security audit from a recognized company, and will usually consist of loading the application into a special compiler that works through the code looking for issues.

[MrGamm]

Quote:

Originally Posted by wige

To give you a practical example, every application on my server is "known secure." These applications are used by thousands, if not millions, of other companies, and when a vulnerability is discovered, I will be notified by CERN or another source of that vulnerability before an attack is likely. If the application is less well known or if it is custom built, I would need some way to verify that the application is secure. This would mean that I have to either trust the maker of the application to produce a secure program, or trust a third party that has evaluated the program. If I am unable to get that level of trust, I won't use the program. A network can only be as secure as the least secure component, and unless I can trust every component, it won't be a part of my network.

I will look into CERN... perhaps they have a certification process that will benefit me in the future.

Quote:

Originally Posted by wige

Bear in mind, there really is no such thing as an absolutely secure application. As soon as you fix every vulnerability in a piece of software, new issues will be found. From a practical standpoint, there are two considerations when evaluating a piece of software.

This is what I am well aware of. A password can be exploited through any means not directly related to the software application itself.

Quote:

Originally Posted by wige

The first is that the application has no "obvious" vulnerabilities. There are security issues inherent in different programming systems, application types, etc. that are common in applications that are not built with a focus on security. Buffer overflows, denial of resource, permission elevation, etc. can all be common issues because the language the software is created in does not inherently protect against exploit. The only way to test against this is to perform a security audit. If I were considering your software, it comes down to reputation. I've never heard of your company, so I don't trust your software. So then the question becomes, who vouches for your software (having evaluated and certified it as secure) and can I trust them?

Specifically that's what I am asking for... information on who certifies software. Personally I believe having a website in production with good number of well trafficked websites would be enough... vulnerability detection being the responsibility of the software service provider. But I understand the need for a third party certification to ease the worries and concerns of clients.

Quote:

Originally Posted by wige

The second consideration is how you handle new vulnerabilities to your software. The more common an application becomes, the more of a target it is to attackers. What measures do you have in place to detect new vulnerabilities, how quickly will there be a patch, etc. This, again, comes back to how well I can trust your company to maintain the application.

This is why any involvement from a third party company worries me. Auditing code is a security risk in itself. Programmers hired by companies cannot take code with them for security reasons. Why a third party company should have access to source code for security purposes is beyond me... Exploit testing should be done externally from my point of view. Audits should be on the software itself... not from examining the code.

Quote:

Originally Posted by wige

Granted, this is assuming that the software you are creating is aimed at a web server or a corporate network. There is a different standard for trust for home and business applications. This usually involves checking the software to ensure that it does not contain spyware or viruses, or allow the host computer to be compromised. This is typically covered in a basic security audit from a recognized company, and will usually consist of loading the application into a special compiler that works through the code looking for issues.

I would think all levels of security should be the same for any networking application regardless if it is for home based business or not. I could understand the need for less security scrutiny if the application itself resided within a private corporate network however.

[carbonize]

Ah so you are saying the program(?) is for use on an intranet only?

If you want a company to certify a program (do we mean script?) as secure then yes they do need to look at the code. They need to see how it handles any data sent to it by users for one thing.

[wige]

I don't know why I said CERN, I should have said CERT, or more specifically US-CERT, the United States Computer Emergency Response Team, a division of Homeland Security. They are a good source of vulnerability information. As far as I know, they don't provide any auditing, they act more as a clearinghouse for vulnerability information. If a product is commonly used, they log information about vulnerabilities detected and reported by others, along with remediation information.

US Government version: US-CERT: United States Computer Emergency Readiness Team
Carnegie Mellon University's version: http://www.cert.gov/

I guess the first thing I really should have asked is what is it that you are trying to demonstrate is secure? Is this software you have written or third party software you install as a service? Is this a standalone application, a network or Internet-capable application, or a web script? And is this software for business use, or for consumers? Also, does the software "touch" personally identifiable information, financial information, or medical information?

[kgun]

What about the security layer of the web? That is in my view the first step in setting up a site and a web business. It can save you from days and months of work if your site grows large enough.

Scroll down to the heading "Advice for webmasters, especially those who want to set up a new site". Many of the advices given there also applies to webmasters running old sites. It can even be valid on an Intranet, as long as there are different Ip's on the intranet.

[MrGamm]

Quote:

Originally Posted by wige

I guess the first thing I really should have asked is what is it that you are trying to demonstrate is secure? Is this software you have written or third party software you install as a service? Is this a standalone application, a network or Internet-capable application, or a web script? And is this software for business use, or for consumers? Also, does the software "touch" personally identifiable information, financial information, or medical information?

The software is for business use and consumers. It's website software which I have written approximately 70% of. A few third party libraries are in use but are phasing out. Blog/E-Commerce/Record Management. It has been configured to interface and relay credit information to third party processors. It has dependancies on linux, apache, mysql and php. It stores non critical information like order histories, customer information, company data. No medical industry use, not required to be fault tolerant if that's what your referring to. It is installed on a few different servers at this point and is provided as a service to small businesses. It follow the SaaS development model and I am looking to expand the installation onto more servers.

What would be the best option for someone like myself looking for more credibility?

[able]

I'm not very knowledgeable about such things however you might want to look at a company such as netcraft.com who offer web app security audits.

[MrGamm]

Quote:

Originally Posted by able

I'm not very knowledgeable about such things however you might want to look at a company such as netcraft.com who offer web app security audits.

That's the company that sends all of my sites referral spam... what a way to advertise eh?

[able]

I'd like to see what evidence you have for the claim if you don't mind.

They operate a spider... a well known spider... is that what you mean?