presented by
|
Because there are so many species of software (e.g., language, application, industry, target environment, etc.), many different specialized software certification methodologies are needed. The notion that you can certify a website for security using the same scheme that you'd use to certify software in a pacemaker is absurd. Interestingly. software process improvement schemes have taken this approach and have suffered as a result. Their "one approach fits all" perspective is the reason why we are today seeing new process improvement schemes occurring (e.g., CMM-SSE and the Common Criteria are recent newcomers that address developing software with security requirements). This talk discusses a framework for customizing certification methodologies for the specific needs of the organization requesting assurances about the software's integrity. Each methodology must mirror the nuances of a particular species of software. For example, certifying that a desktop plug-in will behave appropriately requires different technologies than those needed to certify that an aircraft control system will behave appropriately. The goal of this framework is to provide a more systematic way to create software quality certificates. The ultimate goal is to someday have methodologies that provide measurable and objective data about the "goodness" of a software package such that a limited warranty about the quality can be granted. These methodologies will need to be automated (in order to be fair), fast, inexpensive, and need to be based on repeatable and reproducible assessment technologies in order for the industry to tolerate them.
Jeffrey Voas is a Co-founder and Chief Scientist of Reliable Software Technologies. Reliable Software Technologies was recently named to the Inc. 500 (the fastest growing privately-held companies in the United States). Voas has published over 140 articles and has co-authored two Wiley books: (1) Software Assessment: Reliability, Safety, Testability (1995), and (2) Software Fault Injection: Inoculating Programs Against Errors (1998). Voas is writing a new Wiley book on software certification which is due out in September of 2000. Voas has co-authored a book chapter on software liability for the "Advances in Computers" book series that will be available in 2000 (Academic Press). Voas was the editor of a special issue of IEEE Computer devoted to "Commercial off-the-shelf software" (June 1998) and the special issue of IEEE Software devoted to "Software certification" (July 1999). Voas is the co-editor of a special issue of IEEE Software devoted to "malicious information technology" (September 2000). |