Hi, We have a cybersecurity requirement for all software. We would like to know whether Boost C++ Libraries is developed and comply with Secure Software Development Life Cycle (SSDLC)? Regards Adrian Gan [This e-mail is confidential and may be privileged. If you are not the intended recipient, please kindly notify us immediately and delete the message from your system; please do not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] ---ST Electronics Group---
-----Original Message----- From: Boost-users [mailto:boost-users-bounces@lists.boost.org] On Behalf Of GAN Kok Leong, Adrian Sent: 13 December 2016 06:39 To: boost-users@lists.boost.org Subject: [Boost-users] SSDLC Compliance - Boost C++ Libraries
We have a cybersecurity requirement for all software. We would like to know whether Boost C++ Libraries is developed and comply with Secure Software Development Life Cycle (SSDLC)?
The short answer is "No". This is because this highly formal structure is entirely inappropriate for open-source software building library blocks of fundamental C++ code written by volunteers who have no legal responsibility for their code, nor does Boost exist as a legal entity. See the Boost license at http://www.boost.org/LICENSE_1_0.txt. The final responsibility for use of Boost code lies entirely with its users. Having said that, Boost does practise what most regard as 'Best Software Engineering Practice' including many of the items in the SDLC process, for example as described here: https://www.owasp.org/images/7/76/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.... Key indicators include: * All C++ code, test and documentation is always public and available for review and repeat by users. * Peer review of each library before acceptance. * Continuous public review of revisions. * Requirement for a public test suite for each library. * Continuous public re-testing on multiple platforms with multiple compilers. * Public Bug reporting process. * Continuous improvement of code, testing and documentation, especially from reports of bugs. * Very widespread use by millions of users. * Many Boost libraries do, and continue to, form the basis for C++ ISO Standards. * Public SHA256 hashes provide assurance that downloads are what was tested. Cybersecurity is a tiny risk in the fundamental building blocks that are Boost C++ Libraries. There are very few places to hide malicious code, unlike actual private software applications. What You See Is What You Get. HTH Paul --- Paul A. Bristow Prizet Farmhouse Kendal UK LA8 8AB +44 (0) 1539 561830
participants (2)
-
GAN Kok Leong, Adrian
-
Paul A. Bristow