[trustable-software] Security certifications and agreements
Paul Sherwood
paul.sherwood at codethink.co.uk
Fri Apr 12 10:17:01 BST 2019
Hi Charles,
welcome aboard! Please see my comments inline...
On 2019-04-11 15:08, Charles-H. Schulz wrote:
> This the first time I'm posting here. I've done some cursory research
> on the Trustable Gitlab as well as on this mailing list, but I do not
> see software security (as in, "cybersecurity") being considered or
> investigated by this project. I'd be happy to help in that regard.
You're right that we've not so far begun any material work targeting
security specifically, mainly I think due to lack of bandwidth, not lack
of interest. There are quite a few cybersecurity folks on the list
already, who I think would be pleased to collaborate.
We have been considering security as part of our overall thinking and
approach, however, and I personally see overlap between security and
safety concerns in many cases. I fear these are not being adequately
addressed in general. Some of the systems engineering thinking from
STAMP + STPA may usefully address the overlap so that's the approach I'm
most actively exploring.
> More specifically, there are a set of international standards as well
> as government delivered security certifications that help clearly
> label or verify the solidity of any given software. I'm particularly
> thinking about the Common Criteria (http://www.commoncriteria.org) but
> there are other sets of requirements, sometimes based on these.
This is interesting, for sure.
I do note in passing that the site supports http: but not https:, which
these days triggers security alerts in many browsers (!)
> In some other instances, there are even specific audits that combine
> security certifications and sofware assurance schemes involving the
> tracking/mapping of components origins, authors, etc.
>
> I do realize that security is but one element of what is very much a
> continuum when it comes to the trustability of software. In my opinion
> however, it is far from being a trivial or unimportant one.
Totally agree.
> My question at this point is whether we should add to the wiki or the
> existing documents - after discussion here.
Absolutely. In the interim I've submitted a merge request to add the CC
and SOGIS projects to the website [1]
br
Paul
[1] https://gitlab.com/trustable/trustable.gitlab.io/merge_requests/4
More information about the trustable-software
mailing list