this post was submitted on 12 May 2024
27 points (84.6% liked)

Open Source

39184 readers
171 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
27
Certification for closed source software (lemm.ee)
submitted 1 year ago by DickFiasco@lemm.ee to c/opensource@lemmy.ml
8 comments fedilink hide all child comments
 

Is there any type of third-party certification for closed source software, similar to how we have ISO9001 for quality management? I'd prefer companies provide their software as open source, however I can imagine cases where the software genuinely doesn't do anything malicious but might still contain trade secrets that the author would want to protect. In these cases, it would be nice to have some kind of certification body that could review the source and assert that it doesn't contain spyware, etc., while still protecting the intellectual property.

top 8 comments
sorted by: hot top controversial new old
[–] thr0w4w4y2@sh.itjust.works 10 points 1 year ago (1 children)

the closest you’ll get is probably SOC II Type 2 or ISO 27001. While nowhere near perfect, those certifications validate that organisational controls such as change management, employee background screening, SDLC and production access controls functioned over the past 12 months. An external audit by an accredited specialist is required to obtain those certifications.

[–] slazer2au@lemmy.world 4 points 1 year ago (1 children)

I don't think so or 27001 cover software. It is more internal security controls, segmentation, and breaking responsibilities into specific roles.

[–] thr0w4w4y2@sh.itjust.works 3 points 1 year ago (1 children)

Yup, but you have to think “how would malicious software/spyware/whatever get in our source code and if it does, how would we detect it?”

that’s where ISO and SOC II add value and give some assurance that detective, preventative and corrective controls exist and are working to prevent an issue.

If the company maliciously inserts back doors into closed source code and sells it like that, no amount of external audit is going to defend against that because they’ll just hide the code from the auditors.

[–] slazer2au@lemmy.world 1 points 1 year ago (1 children)

Unless it is intentional than the controller mean nothing.

[–] thr0w4w4y2@sh.itjust.works 2 points 1 year ago

yes so you’re agreeing with me

[–] ShortN0te@lemmy.ml 6 points 1 year ago

That certificate would not proof anything. Things can be overlooked or hidden enough. More eyes = more better. OS is no guarantee either.

Also, it would be way too expensive, money and time wise. Every new Version would need to be certified.

[–] TCB13@lemmy.world 3 points 1 year ago

Yes there is, in most countries you can first submit your code to the intelectual property office and then pay someone to audit it.

[–] bizdelnick@lemmy.ml 2 points 1 year ago

In what country? There are various national certifications for this purpose.