The invention relates generally to computer systems, and deals more particularly with a technique to determine a security risk of a software application.
Every software application poses some security risk. The risks include unauthorized access, attack by hackers, computer viruses and worms, loss or corruption of data, loss of availability to data or the application and theft of proprietary or personal data. The vulnerabilities can be caused by programming errors, configuration problems or application design errors. Often, IT organizations will undergo a certification process to ensure that an application being considered for deployment meets some minimum standards for IT security. Known certification processes comprise some form of design review, security technical testing, and risk analysis based on the results of the design review and testing. The known certification process may also balance security risks with business needs, and to some extent is subjective.
There is an existing standard, NIST 800-37, for certifying applications used for the US government. This standard comprises guidelines for certifying and accrediting information systems that support the executive agencies of the U.S. Federal government.
An object of the present invention is to provide a system, method and program product for determining if a software application is sufficiently secure, under the circumstances and considering the business needs, to be deployed.
Another object of the present invention is to provide a system, method and program product of the foregoing type which is more objective than other known certification processes.