What are the common compliance standards for software products?

Question

This is a very generic question about software products. I would like to know what compliance standards are applicable to any software product.

I know that question gives away nothing. So, here is an example to what I am referring to. CiSecurity Security Certification/Compliance lists out products ceritified by them to be compliant to the standards published at their website, i.e, cisecurity.org. Compliance could be as simple as answering a questionnaire for your product and approved by a thirdparty like cisecurity or it could apply to your whole organization, for instance, PCI-DSS compliance.

I would be very interested in knowing the standards that products you know/designed/created, comply to. To give you the context behind this question: I am the developer of a data-masking tool. The said tool helps mask onscreen html text in a banking web application using filters. So, for instance, if the bank application lists out user information with ssn, my product when integrated with the banking product, automatically identifies ssn pattern and masks it into a pre-defined format.So, I have my product marketing team wanting more buzz words like compliance to be able to sell it to more banking clients. Hence, understanding "compliances that apply to products" is a key research item for me at this point. By which I meant, security compliances.

Appreciate all your help and suggestions.

Answer 1

I don't believe there is a specific governing body that dictates specifications for your type of software. Individual countries have their own privacy laws, and if you are in the US individual states have their own laws, California being the toughest.

It sounds like your software is being distributed. When someone reports a vulnerability in your software (Yes, its going to happen eventually). If the bug was filed by a professional then they probably used Mirte which will reference a CWE number (BugTraq is a nightmare!). Very few people realize that there are acutely hundreds of different types of vulnerabilities and all software is vulnerable to something, even if its a technicality. If you think your software is 100% secure then you are a fool or you where fooled by a good salesman.

I believe that the CWE-200 family is most important to you. The most important member of this family is CWE-213 which directly references the example vulnerability you are attempting patch. CWE-549 is also similar to what you are trying to defend against. The important part is to check out this CWE's Relationships because there are a number of related vulnerabilities that apply to you. For instance CWE-549 issue is related to credential management.