This site graciously hosted
by our friends at

5.  Survey and Analysis of Related Standards

Table of Contents  |  Previous Section  |  Next Section

5.1  Standards bodies

A few standards bodies have demonstrated over many years an abiding interest in security issues.
  • BSI (British), the British Standards Institute
  • BSI (1German), the Bundesamt fuer Sicherheit in der Informationstechnik
  • ISO, the International Organization for Standardization
  • IEC, the International Electrotechnical Commission
  • NIST, the U.S. National Institute of Standards and Technology
5.2  Standards specific to secure coding

No generally accepted standard for secure coding practices exists. This conclusion was reached following:
  • Corresponding, directly or indirectly, with hundreds of international security experts;
  • Searching the online published records of the five international standards bodies listed above;
  • Searching the online published records of many major information security conferences over the last ten years;
  • Searching the online abstracts of tens of thousands of security-related articles, refereed papers, and other publications;
  • Consulting over twenty-five of the best information security texts available in English, and several in German and French;
  • Conducting web scans with three major search engines, using dozens of combinations of keywords in English, French, German, Spanish, and Italian and;
  • Consulting several hundred security-related websites.
If such a standard exists it escaped detection, which suggests that if it is there that not very many programmers are using it.

5.3  Other pertinent security standards

Several security standards, of course, have been developed. Most pertain to Information Technology (IT) Security, and several (including the upcoming ISO/IEC 15443 cited below) focus on quality assurance methodologies. The most useful for the purposes of this survey are listed below. Familiarity with each can be valuable, if only to build confidence that it is not the chimerical "secure coding standard" so many are seeking.
  • ISO/IEC WD 15443, Information Technology-Security Techniques
  • ISO/IEC 15408, Evaluation Criteria for IT Security (the "Common Criteria")
  • BS 7799 (British Standards Institute), soon to be adopted as ISO/IEC 17799
    • Part 1: The Code of Practice. Intended to help companies implement their own security system.
    • Part 2: The Requirements Specification. Assists in the assessment of an organization.
5.4  Pertinent quality assurance standards

There are many possible testing and quality assurance methodologies which can contribute to the production of secure code. Recommending a specific one is outside the scope of this survey; the SSE-CCM, however, is deserving of careful study here.

The best list we have encountered is included in the upcoming standard from ISO/IEC, WD 15443, which was reviewed in draft. Here is the 15443 breakdown of quality assurance means and methods.

Process approaches:
  • Developer's Pedigree
  • Warranty Assurance
  • Supplier's Declaration
  • Evaluation Rating Maintenance
  • ISO 9000-3 Quality management and quality assurance standards, Part 3
  • ISO 9001 Quality systems--Model for quality assurance in design/development, production, installation and servicing
  • ISO/IEC 15504 Software process assessment
  • Accreditation assurance
Product/system/service approaches:
  • CC/CEM
  • ISO/IEC 9646: Conformance testing methodology and framework Conformance testing
  • Penetration testing
  • X/Open branding
  • Personal assurance
  • ISO/IEC 14598 Software product evaluation
Environment (Personnel and Organization) approaches:
  • TCMM
  • ISO 13407, Human-centered design process for interactive systems Human Centered Design (HCD)
  • Professional certification
5.5  Other resources

The following material, while perhaps not strictly international standards, are of the same stature and provide much useful advice.
  • Council of Europe "Green Book", 1993
  • BSI Code of Practice
  • German BSI Grundschutz Handbuch (IT Baseline Protection Manual)
  • RFC 1244/1281
  • FIPS PUB 31ff
5.6  Details on selected existing standards, guidelines, and other resources

The following excerpts from ISO/IEC, WD 15443 provide background on those existing standards, guidelines, and other resources judged to be key to this survey.


The System Security Engineering Capability Maturity Model (SSE-CMM) is based on the fundamental principles and structure of the Systems Engineering Capability Maturity Model (SE-CMM) which is also a specialty Capability Maturity Model (CMM) modeled after the original CMM developed by the Software Engineering Institute (SEI). While CMMs target the management and organizational activities of an organization, the SSE-CMM contains a new set of engineering Key Process Areas (KPA) to place more emphasis on the organization's system security engineering activities. Although the SSE-CMM is a developmental process assurance method, it can also be used by organizations to improve their system security engineering processes to develop Information Technology Security (ITS) products or deliver ITS services (such as a threat and risk assessment) with higher quality and within schedule....The SSE-CMM is a unique model as it details security engineering requirements for engineering security systems and providing engineering security services in addition to the security requirements which the development environment must meet.


The Trusted Capability Maturity Model (TCMM) is a developmental security software assurance standard based on the fundamental principles and structure of the CMM developed by SEI. Although the TCMM is a specialty CMM, it was created by merging the Trusted Software Development Methodology (TSDM) and the SEI CMM resulting in many revised KPAs and a new KPA called Trusted Software Development containing new practices which did not fit under any of the existing KPAs. The TCMM focuses only on the development environment and targets the management and organizational activities of an organization which differs considerably from the SSE-CMM. The TCMM is applicable only to processes and systems. Any processes related to the TOE development are out of scope.


ISO-9000 is a quality assurance standard which contains 20 high level clauses for an organization to satisfy before obtaining ISO 9000 registration. Originally made for manufacturing organizations, it can be applied to software development organizations but requires a lot of interpretation to be applicable. For this reason, ISO 9000-3 guidance for the application of ISO 9001 to the development, supply, and maintenance of software was added to address the confusion and difficulty in applying ISO 9001 to software. ISO 9000-3 contains 22 clauses written specifically for software development and these map back to the actual ISO 9001 standard consisting of 20 clauses. Although the clauses are more specific to software, they are still of sufficient high level to require further interpretation to be applicable to an organization and they do not address information technology security. Note that ISO 9000-3 guidance is limited to software where ISO 9001 and the CC are applicable to hardware in addition to software products and systems.

Compliance to ISO 9000 is achieved by independent auditors inspecting the organization's quality manual and processes and interviewing personnel. An ISO 9000 certificate is only offered to a proper organization such as a company. This differs from the SSE-CMM which can be appraised for an individual group or project within a company or an organization.

ISO 9001 covers a wider scope than the CC requirements from conception to decommissioning of a product which means that an organization looking at being ISO 9001 registered as a way of saving evaluation time will have to implement a quality system covering more areas than required for a CC evaluation. This additional work to obtain ISO 9001 may not be justified.

ISO/IEC 15504

ISO/IEC 15504 is compatible with CMM. 15504 uses the process dimension and the capability dimension. The base practices are split into organization, management, engineering, customer-supplier and support. 15504 specifies a capability rating of the organization running the development process:
  • L0: incomplete process
  • L1: performed process
  • L2: managed process
  • L3: established process
  • L4: predictable process
  • L5: optimizing process
The rating is based on the assessment of a specific process instance. All types of assessment are supported. 15504 is applicable to self assessment and independent assessment, to continuous assessment and to discrete assessment. 15504 level 3 rating maps to successful ISO 9000 certification.


The evaluation criteria "Information Technology Security Evaluation Criteria (ITSEC)" and the evaluation manual "Information Technology Security Evaluation Manual (ITSEM)" are among the predecessor documents of the Common Criteria and of the Common Evaluation Methodology. They have been developed in the early 1990s by the four European nations France, Germany, the Netherlands and the United Kingdom. The ITSEC assurance is based on the approach introduced in the TCSEC. However, the separation between functional and assurance requirements in the ITSEC allows a greater flexibility. The assurance requirements are themselves again split into the two aspects of effectiveness and correctness. Assessment of effectiveness involves consideration of the following aspects of the Target of Evaluation (TOE):
  • The suitability of the TOE's security enforcing functions to counter the threats to the security of the TOE identified in the security target;
  • The ability of the TOE's security enforcing functions and mechanisms to bind together in a way that is mutually supportive and provides an integrated and effective whole;
  • The ability of the TOE's security mechanisms to withstand direct attack;
  • Whether known security vulnerabilities in the construction of the TOE could in practice compromise the security of the TOE;
  • That the TOE cannot be configured or used in a manner which is insecure but which an administrator or end-user of the TOE would reasonably believe to be secure;
  • Whether known security vulnerabilities in the operation of the TOE could in practice compromise the security of the TOE.
The focus of the assurance effectiveness requirements is more on those aspects where the evaluator has to use the own knowledge and experience to assess whether the security approach in the evaluated IT product or system is reasonable. The focus of the assurance correctness requirements in the ITSEC is more on the aspects which shall confirm that the developer information concerning the IT security of the evaluated product or system is correct...

The ITSEM builds on the ITSEC describing how a TOE should be evaluated according to these criteria. The specific objective of the ITSEM is to ensure that there exists a harmonized set of evaluation methods which complements the ITSEC.

The ITSEM was not based on a predecessor document. It presented as such for the first time much background information for the application of the assurance methods outlined in the ITSEC and indirectly also for the assurance methods used in the TCSEC and the CTCPEC.


BS7799 is a British Standard which was developed as a result of industry, government and commerce demand for a common framework to enable companies to develop, implement and measure effective security management practice and to provide confidence in inter-company trading. It is based on the best current information security practices of leading British and international businesses and has met with international acclaim. BS7799 has been adopted by a number of countries as a standard. Discussions are ongoing with a view to agreeing BS 7799 as an International (ISO) standard. BS 7799 has been provided to address the needs of information security management systems within organizations, and consists of two parts:
  • BS 7799: Part 1:1995 is The Code of Practice - provides guidance material to help companies to implement their own information security system;
  • BS 7799: Part 2:1998 is The Requirements Specification - against which an organization is assessed for compliance and subsequent certification.
BS 7799 relates to all information regardless of the media on which it is stored and transmitted, or where it is located. Every business needs a system to manage risks to its information in a systematic way and the standard provides guidance on the best controls available. To ensure the value of the whole process, it is important that appropriate controls and objectives are selected by the use of a risk assessment process and that the right level of control is applied. The controls listed below are those generally accepted as defining the industry baseline of good security practice.
  • Information security policy
  • Security organization
  • Assets classification and control
  • Personal security
  • Physical and environmental security
  • Computer and network management
  • System access control
  • Systems development and maintenance
  • Business continuity planning
  • Compliance

It is the aim of IT baseline protection, through the appropriate application of organizational, personnel, infrastructure and technical standard security measures, to achieve a security standard for IT systems that is adequate and sufficient as regards medium level protection requirements and can serve as a basis for IT applications requiring a high degree of protection. To this end, the IT Baseline Protection Manual recommends safeguard packages for typical IT configurations, environments and organizational set-ups. For the preparation of this Manual, the German Information Security Agency (GISA)/Bundesamt für Sicherheit in der Informationstechnik (BSI) assumed risk assessment estimates on the basis of known threats and vulnerabilities and has developed packages of measures suited for this purpose. Consequently, the user only has to ensure that the recommended measures will be consistently and fully implemented. At the same time, this helps to ensure that IT security as regards medium -level protection requirements can be achieved in a labor-economical manner, especially since individual system security policies can refer to the IT Baseline Protection Manual. Thus, IT baseline protection becomes a common basis of agreement on measures to meet medium-level protection requirements.

Table of Contents  |  Previous Section  |  Next Section

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.