Last Updated on September 25, 2021 by Admin 3
You are considering purchasing a VPN solution to protect your organization’s information assets. The solution you are reviewing uses RFC-compliant and open-standards encryption schemes. The vendor has submitted the system to a variety of recognized testing authorities. The vendor does not make the source code available to testing authorities. Does this solution adhere to the secure design principle of open design?
- No, because the software vendor could have changed the code after testing, which is not verifiable.
- No, because the software vendor submitted the software to testing authorities only, and did not make the software available to the public for testing.
- Yes, because the methods were tested by recognized testing authorities, and the source code is protected from vandalism.
- Yes, because the methods are open, and the system does not rely on the secrecy of its internal mechanisms to provide protection.
- No, because if a software vendor refuses to reveal the source code for a product, it cannot comply with the open-design principle.