The vendor does not make the source code available to testing authorities. Does this solution adhere to the secure design principle of open design?

Last Updated on September 25, 2021 by Admin 3

You are considering purchasing a VPN solution to protect your organization’s information assets. The solution you are reviewing uses RFC-compliant and open-standards encryption schemes. The vendor has submitted the system to a variety of recognized testing authorities. The vendor does not make the source code available to testing authorities. Does this solution adhere to the secure design principle of open design?

  • No, because the software vendor could have changed the code after testing, which is not verifiable.
  • No, because the software vendor submitted the software to testing authorities only, and did not make the software available to the public for testing.
  • Yes, because the methods were tested by recognized testing authorities, and the source code is protected from vandalism.
  • Yes, because the methods are open, and the system does not rely on the secrecy of its internal mechanisms to provide protection.
  • No, because if a software vendor refuses to reveal the source code for a product, it cannot comply with the open-design principle.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments