Methods to certify a software application
-
Hello, I have a software application that works in LAN. I have several requests from possible new customers to provide an independent reports that will certify that the software will not send data outside of their network. Do you know a company who can certify this by testing the product. Also do you have any idea about who much this will cost? The product already holds Certified for Windows 2003 Server from VeriTest This was a while ago.
-
Hello, I have a software application that works in LAN. I have several requests from possible new customers to provide an independent reports that will certify that the software will not send data outside of their network. Do you know a company who can certify this by testing the product. Also do you have any idea about who much this will cost? The product already holds Certified for Windows 2003 Server from VeriTest This was a while ago.
Doing a full source code analysis and test would (depending on the software) potentially be a long and expensive process, which may not be cost effective, or even effective at detecting problems. If your application uses easily identifiable network traffic, you could advise them to set some firewall rules to log and drop the packets. They could then run the software for a while to test it to their own satisfaction. I would have thought that this would be the cheapest and easiest solution. If their data is security critical, they should have a robust firewall ruleset anyway. Presumably though, they want a certificate so they don't have to take responsibility for it for legal reasons... If so, they should be able to advise you on a suitable certification company / authority. If not, it doesn't really mean anything, and you could just get anyone to glance over the source and say they certify it (in a non legally binding sense of course :) )
-
Doing a full source code analysis and test would (depending on the software) potentially be a long and expensive process, which may not be cost effective, or even effective at detecting problems. If your application uses easily identifiable network traffic, you could advise them to set some firewall rules to log and drop the packets. They could then run the software for a while to test it to their own satisfaction. I would have thought that this would be the cheapest and easiest solution. If their data is security critical, they should have a robust firewall ruleset anyway. Presumably though, they want a certificate so they don't have to take responsibility for it for legal reasons... If so, they should be able to advise you on a suitable certification company / authority. If not, it doesn't really mean anything, and you could just get anyone to glance over the source and say they certify it (in a non legally binding sense of course :) )
Thanks for the reply. Verifying the data sent / received by the application is not complicated and it can be easily done. Plus a good security architecture is a must for every business. But they need some extra guarantees like ICSA Labs for example. But my product does not suit any of the categories (is not security related). If anyone can provide more solutions - leads :) I will definitely check them. Thanks again.
-
Thanks for the reply. Verifying the data sent / received by the application is not complicated and it can be easily done. Plus a good security architecture is a must for every business. But they need some extra guarantees like ICSA Labs for example. But my product does not suit any of the categories (is not security related). If anyone can provide more solutions - leads :) I will definitely check them. Thanks again.
Sorry, I'm not aware of any companies that do that, but as a slightly off the wall suggestion, you could try talking to some university departments about it. They may take it as a research project, or be able to put you in contact with some agencies who could help. Those sorts of places usually have some industry contacts. Eg. http://selab.netlab.uky.edu/[^] or similar. I agree it's easy if you make the assumption that the software behaves consistently, and is not essentially hostile (for example hidden functionality that sends data elsewhere under certain conditions), but I thought the point was that they weren't prepared to take your word for it. I woudn't know how to check for that without analysing the source - which might still miss the offending code if it were well enough hidden. Either way, best of luck with it