Boost Users :

Subject: Re: [Boost-users] SSDLC Compliance - Boost C++ Libraries
From: Paul A. Bristow (pbristow_at_[hidden])
Date: 2016-12-14 05:02:53

• Next message: Deniz Bahadir: "[Boost-users] [MultiIndex] Prevent automatic re-indexing after "modify"?"
• Previous message: Niall Douglas: "[Boost-users] Stacktrace library starts review today 14th Dec"
• In reply to: GAN Kok Leong, Adrian: "[Boost-users] SSDLC Compliance - Boost C++ Libraries"

> -----Original Message-----
> From: Boost-users [mailto:boost-users-bounces_at_[hidden]] On Behalf Of GAN Kok Leong, Adrian
> Sent: 13 December 2016 06:39
> To: boost-users_at_[hidden]
> Subject: [Boost-users] SSDLC Compliance - Boost C++ Libraries
>
> We have a cybersecurity requirement for all software.
> We would like to know whether Boost C++ Libraries is developed and comply with Secure Software Development Life Cycle (SSDLC)?

The short answer is "No".

This is because this highly formal structure is entirely inappropriate for open-source software building library blocks of
fundamental C++ code written by volunteers who have no legal responsibility for their code, nor does Boost exist as a legal entity.

See the Boost license at http://www.boost.org/LICENSE_1_0.txt.

The final responsibility for use of Boost code lies entirely with its users.

Having said that, Boost does practise what most regard as 'Best Software Engineering Practice' including many of the items in the
SDLC process, for example as described here:

https://www.owasp.org/images/7/76/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf

Key indicators include:

* All C++ code, test and documentation is always public and available for review and repeat by users.
* Peer review of each library before acceptance.
* Continuous public review of revisions.
* Requirement for a public test suite for each library.
* Continuous public re-testing on multiple platforms with multiple compilers.
* Public Bug reporting process.
* Continuous improvement of code, testing and documentation, especially from reports of bugs.
* Very widespread use by millions of users.
* Many Boost libraries do, and continue to, form the basis for C++ ISO Standards.
* Public SHA256 hashes provide assurance that downloads are what was tested.

Cybersecurity is a tiny risk in the fundamental building blocks that are Boost C++ Libraries. There are very few places to hide
malicious code, unlike actual private software applications.

What You See Is What You Get.

HTH

Paul

---
Paul A. Bristow
Prizet Farmhouse
Kendal UK LA8 8AB
+44 (0) 1539 561830

• Next message: Deniz Bahadir: "[Boost-users] [MultiIndex] Prevent automatic re-indexing after "modify"?"
• Previous message: Niall Douglas: "[Boost-users] Stacktrace library starts review today 14th Dec"
• In reply to: GAN Kok Leong, Adrian: "[Boost-users] SSDLC Compliance - Boost C++ Libraries"

Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net