Software Facts

Wouldn't it be great if software came with labels like food does? In 2004 Aspect Security's Jeff Williams proposed having a set of software facts, similar to a nutrition facts label, material safety data sheets, or laser safety classes. Like food, it would not tell you everything about the software, but could give you some ideas about its content. It would be a step toward making the asymmetrical flow of information (see George Akerlof, "The Market for Lemons" 1970) more symmetrical and might lead to markets for better (pick your definition of "better") software.

The Software Assurance Consortium, Daniel G. Wolf, is now the home for this Software Facts effort. That page has information about how to join and goals. SwAC also has pages with additional information:

Similar programs and related efforts
Possible scope, including audiences, classes of products or services, goals, and terminology.
Possible content and criteria for content
Participants and eventually process issues

Cautions

A fixed, small collection of software facts could be harmful. Here are some cautions.

A label can give false confidence. It may suggest security when there is not enough. ("Fat free? Great, I'll have six!")
A cursory review of the label may be done instead of appropriate analysis of other, existing material.
A label may become de rigueur and shut out better software.
A label could entrench current art and thus slow progress, either research or adoption.
Lack of an attribute in the label may lead to the assumption that the attribute is missing
Earning the label might divert effort from real product improvements.
Developing a label might divert effort better used to directly research software assurance. (Don't bother standardizing buggy whips)
A label may duplicate existing statutes, bargaining rights, or due diligence.
A label can lead to liability and prosecution - not what we want.
It could be outdated by patches or a new version OR be too bothersome to get for each new micro-version.

Created Thu Mar 24 15:14:50 2005

by Paul E. Black (paul.black@nist.gov)

Updated Tue Dec 6 16:53:22 2011

by Paul E. Black (paul.black@nist.gov)

Information Technology Laboratory, Software and Systems Division
PRIVACY/SECURITY ISSUES • FOIA • Disclaimer • USA.gov
NIST is an agency of the U.S. Commerce Department

This page's URL is http://hissa.nist.gov/~black/softwareFacts.html