Is there any type of third-party certification for closed source software, similar to how we have ISO9001 for quality management? I’d prefer companies provide their software as open source, however I can imagine cases where the software genuinely doesn’t do anything malicious but might still contain trade secrets that the author would want to protect. In these cases, it would be nice to have some kind of certification body that could review the source and assert that it doesn’t contain spyware, etc., while still protecting the intellectual property.

  • thr0w4w4y2@sh.itjust.works
    link
    fedilink
    arrow-up
    11
    arrow-down
    1
    ·
    6 months ago

    the closest you’ll get is probably SOC II Type 2 or ISO 27001. While nowhere near perfect, those certifications validate that organisational controls such as change management, employee background screening, SDLC and production access controls functioned over the past 12 months. An external audit by an accredited specialist is required to obtain those certifications.

    • slazer2au@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      I don’t think so or 27001 cover software. It is more internal security controls, segmentation, and breaking responsibilities into specific roles.

      • thr0w4w4y2@sh.itjust.works
        link
        fedilink
        arrow-up
        3
        ·
        6 months ago

        Yup, but you have to think “how would malicious software/spyware/whatever get in our source code and if it does, how would we detect it?”

        that’s where ISO and SOC II add value and give some assurance that detective, preventative and corrective controls exist and are working to prevent an issue.

        If the company maliciously inserts back doors into closed source code and sells it like that, no amount of external audit is going to defend against that because they’ll just hide the code from the auditors.

  • ShortN0te@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    6 months ago

    That certificate would not proof anything. Things can be overlooked or hidden enough. More eyes = more better. OS is no guarantee either.

    Also, it would be way too expensive, money and time wise. Every new Version would need to be certified.

  • TCB13@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    6 months ago

    Yes there is, in most countries you can first submit your code to the intelectual property office and then pay someone to audit it.