Security assurance in an application is evidence of some kind that it is secure.
An application builder may want assurance in its security for his own benefit (to improve the application). Other parties (buyers or users of the application) may want assurance before trusting the application with their data.
Assurance can come from several sources:
- From the way the application was developed. If the application was developed in a rigorous way by highly qualified people, perhaps it is more secure. Unfortunately it is difficult to find any definite link between the way an application is developed and how secure it is. There are several maturity models available for application security, ISO 21827 (which defines 5 maturity levels) and the OpenSAMM model produced by OWASP (which defines 3). I am not aware of any organisation having adopted , but several have adopted OpenSAMM (including Capgemini).
- From an analysis of the design or code of the application. You can do this manually, but now there are software tools such as HP fortify that will examine your code automatically. Manual analysis is very effective if done by an expert, but also very expensive. Automated analysis can find a lot of generic vulnerabilities, and a lot of false positives also, you need expertise to interpret what the tools say.
- From testing the application. Testing can also be expensive. Normal testing is intended to show that the application does what was expected when the user acts as expected. It’s not very good at finding vulnerabilities. Penetration testing is specialised testing that does just that – it attempts to exercise known vulnerabilities in order to detect their presence. Penetration testing can be heavily automated and so can be reasonably cost effective.
There is a standard called the Common Criteria (ISO15408) which attempts to take all these types of assurance into account. It defines 7 levels of assurance (EAL1 to EAL7, where 1 is the lowest and 7 the highest). Products can be evaluated against the Common Criteria by licensed test laboratories. Be warned, such evaluations are very expensive and I have to say, are oriented more to documentation than to real security weaknesses. Many firewalls are certified to EAL4, very few products are evaluated to a higher level.