Discussion:
SSDLC Compliance - Boost C++ Libraries
(too old to reply)
GAN Kok Leong, Adrian
2016-12-13 06:39:25 UTC
Permalink
Hi,

We have a cybersecurity requirement for all software. We would like to know whether Boost C++ Libraries is developed and comply with Secure Software Development Life Cycle (SSDLC)?

Regards
Adrian Gan


[This e-mail is confidential and may be privileged. If you are not the
intended recipient, please kindly notify us immediately and delete the message
from your system; please do not copy or use it for any purpose, nor disclose
its contents to any other person. Thank you.]
---ST Electronics Group---
Paul A. Bristow
2016-12-14 10:02:53 UTC
Permalink
-----Original Message-----
Sent: 13 December 2016 06:39
Subject: [Boost-users] SSDLC Compliance - Boost C++ Libraries
We have a cybersecurity requirement for all software.
We would like to know whether Boost C++ Libraries is developed and comply with Secure Software Development Life Cycle (SSDLC)?
The short answer is "No".

This is because this highly formal structure is entirely inappropriate for open-source software building library blocks of
fundamental C++ code written by volunteers who have no legal responsibility for their code, nor does Boost exist as a legal entity.

See the Boost license at http://www.boost.org/LICENSE_1_0.txt.

The final responsibility for use of Boost code lies entirely with its users.

Having said that, Boost does practise what most regard as 'Best Software Engineering Practice' including many of the items in the
SDLC process, for example as described here:

https://www.owasp.org/images/7/76/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf

Key indicators include:

* All C++ code, test and documentation is always public and available for review and repeat by users.
* Peer review of each library before acceptance.
* Continuous public review of revisions.
* Requirement for a public test suite for each library.
* Continuous public re-testing on multiple platforms with multiple compilers.
* Public Bug reporting process.
* Continuous improvement of code, testing and documentation, especially from reports of bugs.
* Very widespread use by millions of users.
* Many Boost libraries do, and continue to, form the basis for C++ ISO Standards.
* Public SHA256 hashes provide assurance that downloads are what was tested.

Cybersecurity is a tiny risk in the fundamental building blocks that are Boost C++ Libraries. There are very few places to hide
malicious code, unlike actual private software applications.

What You See Is What You Get.

HTH

Paul

---
Paul A. Bristow
Prizet Farmhouse
Kendal UK LA8 8AB
+44 (0) 1539 561830

Loading...