strawman

Software Facts Label

Wouldn't it be great if software came with labels like food does? In 2004 Aspect Security suggested to me a Software Facts label, like a nutrition facts label, material safety data sheets, or laser safety classes. Like food, it wouldn't tell you everything about the software, but could give you some ideas about the content. It would be a step toward making the asymmetrical flow of information (see George Akerlof, "The Market for Lemons" 1970) more symmetrical and might lead to markets for better (pick your definition of "better") software.

This is my very rough idea of the kind of things that might go into such a label. Clearly it will take a lot of work to improve (food labels have changed over the decades), but let's get started.

Software Facts

Name InvadingAlienOS
Version 1996.7.04
Expected number of users 15

Modules 5 483 Modules from libraries 4 102

	% Vulnerability

Cross Site Scripting 22		65%
	Reflected 12	55%
	Stored 10	55%

SQL Injection 2		10%

Buffer overflow 5		95%

Total Security Mechanisms 284		100%
	Authentication 15	5%
	Access control 3	1%
	Input validation 230	81%
	Encryption 3	1%
	AES 256 bits, Triple DES

Report security flaws to: ciwnmcyi@mothership.milkyway

Total Code 3.1415×10⁹ function points		100%
	C 1.1×10⁹ function points	35%
	Ratfor 2.0415×10⁹ function points	65%

Test Material 2.718×10⁶ bytes		100%
	Data 2.69×10⁶ bytes	99%
	Executables 27.18×10³ bytes	1%

Documentation 12 058 pages		100%
	Tutorial 3 971 pages	33%
	Reference 6 233 pages	52%
	Design & Specification 1 854 pages	15%

Libraries: Sun Java 1.5 runtime, Sun J2EE 1.2.2,
Jakarta log4j 1.5, Jakarta Commons 2.1,
Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1

Compiled with gcc (GCC) 3.3.1

Stripped of all symbols and relocation information.

What else could be easily supplied?

Source available? Yes/No/Escrowed (and place).
Default installation is secure? Yes/No.
Tested on the following platforms: ...
What access is used: (network [as client or server], disk, screen, ...)
Limits (e.g., "no more than 32 767 crew changes per month")
What are the configuration files? (registry entries, ...)
Certificates (e.g., "No Severe or Moderate weaknesses found by CodeChecker ver. 3.2")

Obviously many of these need standard units, e.g., function points and pages of documentation. It cannot be perfect (see Rice's theorem), but at least the terms will be codified and open to improvement.

Software Facts must be:

Voluntary
Absolutely simple to produce for vendors
- Make tools available to everyone
- Facts automatically generated
Have a standard format for other vendor claims

Cautions

A software facts label could be harmful. Here are some cautions.

A label can give false confidence. ("Fat free? Great, I'll have six!")
A label may become de rigueur and shut out better software.
A label could entrench current art and thus slow progress, either research or adoption.
Earning the label might divert effort from real product improvements.
Developing a label might divert effort better used to directly research software assurance. (Don't bother standardizing buggy whips)
A label can lead to liability and prosecution - not what we want.
Label information should be based on science: objective, helpful measures, which we don't have for software.

The basic idea here is expounded from Aspect Security's ideas. I am grateful to them, particularly Jeff Williams, for sharing their ideas.

Other Models or Similar Programs

Datamation lists products and includes a short fact sheet at the bottom of the page. For instance, their fact sheet about NTOSpider lists an id#, date posted, category, platform, and vendor. It also has links to the vendor's web site.

Chris Wysopal would like a software rating like ENERGY STAR. The February 17, 2006 TaoSecurity Blog explains, "The rating might say, 'Of the financial applications subjected to binary security analysis, the best score was 112, the worst was 24, and this application rates 86. This program's estimated incident response and patching cost is $1600 per server per year when customer-facing, and $400 per server per year when kept in-house.' "

Steve Christey names "Unforgivable Vulnerabilities": some that are so easy to exploit and well-known that their presence "is highly suggestive of the developer's lack of security awareness combined with a lack of security testing." He describes an elaboration of David Litchfield's Vulnerability Assessment Assurance Levels (VAAL) and shows that unforgivable vulnerabilities are on the lowest level. Christey suggests that VAAL could be elements in a software label. His paper is available at http://cwe.mitre.org/about/documents.html (accessed 5 October 2007).

Google's Software Principles have several points which could be stated in the label, for instance, Upfront Disclosure and Clear Behavior. Indeed, the label might be the location of something like a "Follows Google Software Principles" seal.

Andrew Jaquith's Security Metrics: replacing Fear, Uncertainty, and Doubt has interesting measures on pages 80 and 83 that might be included.

Created Thu Mar 24 15:14:50 2005

by Paul E. Black (paul.black@nist.gov)

Updated Tue Apr 29 16:42:53 2008

by Paul E. Black (paul.black@nist.gov)

This page's URL is http://hissa.nist.gov/~black/softwareFacts.html