Peter Gutmann hits the nail on the head, as always. 'CC' as referred to in the message below is the Common Criteria.
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: dwheeler@ida.org, secprog@securityfocus.com
Date: Fri, 3 Jan 2003 16:47:15 +1300
Subject: Re: Standards for developing secure software
Message-Id: >200301030347.h033lFb05091@medusa01.cs.auckland.ac.nz>
David Wheeler >dwheeler@ida.org> writes:
>But if you really want secure code, the MOST important thing is to get
>developers trained in how to write secure programs. The basic problem isn't
>that we need better books or guidance. The problem is that developers don't
>grok _ANY_ of the books. In short, you only need one meta-practice: if you're
>a developer, you MUST sit down and learn how to write secure code. Period.
Yup, that's the single "methodology" which works for writing secure code: Get
it written by a skilled programmer who has the self-discipline to very
carefully check every part of their work to make sure there are no problems.
However, you also need to combine this with a development schedule of "Let us
know when you think it's ready for public use" (again, with the self-
discipline to ensure that something gets released at some point). The whole
point of the CC and everything like it is to (try to) emulate the
functionality of the skilled security programmer using unskilled labour. It
works about as well as handing a random kid a sheet of music and a fingering
guide and expecting to hear Yehudi Menudin. You can't fake this, you need
actual *talent* to make it happen (although you can produce a lot of paperwork
claiming it should be OK if that's all you're after).
There are some downsides to this approach. Marv Schaefer (I think... well it
sounds like the sort of thing he would have said) once observed that "To get a
truly secure system, you must ensure that it's designed and built by geniuses.
Unfortunately, geniuses are in short supply". Still, I'm much more confident
that something like Postfix or Qmail is secure than "Unbreakable Oracle", no
matter how many security certificates and full-page ads Oracle have for it.
Peter.