Bryan Owen

“A” ratings for software

Blog Post created by Bryan Owen on Jun 24, 2010

Most of us have probably taken chances with street vendors or the occasional "B" grade dining establishment. But let's face it, if your favorite restaurant failed to get an "A" rating you would take notice.


Similarly the rating paradigm for secure software is gaining momentum as more and more buyers are demanding independent assessment of software security. Veracode provides such services, here is their rating scheme:




In this case, the lowest bar is pretty low, simply recommending a passing scan using static analysis tools. You might even expect that most .NET applications would be a shoe in because code analysis is already built in (provided you are running code analysis and not suppressing messages without real investigation). Regardless, a clean scan is unlikely unless the developer has tools on par with those used by security assessment firms. 


Here are the code analysis categories checked when using .NET FxCop:

  • Design Warnings
  • Globalization Warnings
  • Interoperability Warnings
  • Naming Warnings
  • Performance Warnings
  • Security Warnings
  • Usage Warnings

The message here isn't to promote Veracode, there are many security assessment firms to choose from. But I will comment that the logistical model seems workable. Source code need not be provided for binary analysis. You just upload the executable (it is a bit interesting their analysis tool is reported to work best with debug builds). Regardless, when the buyer picks up the tab, ISVs have little control over who performs the ‘independent' assessment.


Of course, secure software ratings are too simplistic to be any more effective than restaurant grades are at ensuring a healthy meal. The real message is that assessments are becoming routine and a competitive business. There are plenty of market forces generating demand for security assurance.


A clean static analysis scan is good but only one element of a security program. While not the most important element it does appear to be one that can be easily implemented. I encourage all of you to take advantage of code analysis tools. Looking forward, industrial cyber security compliance initiatives such as ISA Secure and WIB involve a far more rigorous audit delving into your security development lifecycle.