Or see TCSEC that was how the market produced the first, security-focused systems. They were only ones to pass pentesting at the time with designs and implementations still stronger than most software today. Although it had issues, its core lifecycle requirements mostly work and are still used for high-assurance security implementations. Alternatively, the DO-178B standard (now DO-178C) that got more vendors writing well-documented, well-reviewed code that they run through all kinds of static analyzers and testing tools to avoid costly re-certifications. Two examples of regulations that worked so well that they raised the status quo for both security and safety.
People mostly mention bad or questionable regulations when the topic comes up. I figure the good ones deserve mention, too, esp given they worked better than the market. That's probably due to the absence in market of both liability for software failures and most customers' ability to evaluate security claims.
People mostly mention bad or questionable regulations when the topic comes up. I figure the good ones deserve mention, too, esp given they worked better than the market. That's probably due to the absence in market of both liability for software failures and most customers' ability to evaluate security claims.
TCSEC Overview https://en.wikipedia.org/wiki/Trusted_Computer_System_Evalua...
Bell Looking Back on TCSEC/TPEP http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-B...
DO-178B Overview https://en.wikipedia.org/wiki/DO-178B