Is there any type of third-party certification for closed source software, similar to how we have ISO9001 for quality management? I’d prefer companies provide their software as open source, however I can imagine cases where the software genuinely doesn’t do anything malicious but might still contain trade secrets that the author would want to protect. In these cases, it would be nice to have some kind of certification body that could review the source and assert that it doesn’t contain spyware, etc., while still protecting the intellectual property.
the closest you’ll get is probably SOC II Type 2 or ISO 27001. While nowhere near perfect, those certifications validate that organisational controls such as change management, employee background screening, SDLC and production access controls functioned over the past 12 months. An external audit by an accredited specialist is required to obtain those certifications.
I don’t think so or 27001 cover software. It is more internal security controls, segmentation, and breaking responsibilities into specific roles.
Yup, but you have to think “how would malicious software/spyware/whatever get in our source code and if it does, how would we detect it?”
that’s where ISO and SOC II add value and give some assurance that detective, preventative and corrective controls exist and are working to prevent an issue.
If the company maliciously inserts back doors into closed source code and sells it like that, no amount of external audit is going to defend against that because they’ll just hide the code from the auditors.
Unless it is intentional than the controller mean nothing.
yes so you’re agreeing with me
That certificate would not proof anything. Things can be overlooked or hidden enough. More eyes = more better. OS is no guarantee either.
Also, it would be way too expensive, money and time wise. Every new Version would need to be certified.
Yes there is, in most countries you can first submit your code to the intelectual property office and then pay someone to audit it.
In what country? There are various national certifications for this purpose.
