Certification for closed source software
Is there any type of third-party certification for closed source software, similar to how we have ISO9001 for quality management? I'd prefer companies provide their software as open source, however I can imagine cases where the software genuinely doesn't do anything malicious but might still contain trade secrets that the author would want to protect. In these cases, it would be nice to have some kind of certification body that could review the source and assert that it doesn't contain spyware, etc., while still protecting the intellectual property.
You are viewing a single comment
the closest you’ll get is probably SOC II Type 2 or ISO 27001. While nowhere near perfect, those certifications validate that organisational controls such as change management, employee background screening, SDLC and production access controls functioned over the past 12 months. An external audit by an accredited specialist is required to obtain those certifications.
I don't think so or 27001 cover software. It is more internal security controls, segmentation, and breaking responsibilities into specific roles.
Yup, but you have to think “how would malicious software/spyware/whatever get in our source code and if it does, how would we detect it?”
that’s where ISO and SOC II add value and give some assurance that detective, preventative and corrective controls exist and are working to prevent an issue.
If the company maliciously inserts back doors into closed source code and sells it like that, no amount of external audit is going to defend against that because they’ll just hide the code from the auditors.
Unless it is intentional than the controller mean nothing.
yes so you’re agreeing with me