How can I prove that my software is secure for those who are interested to install it?

Prove is a strong word, and to be honest, it isn't the word you're looking for. What you really want is trust. You want users (or potential users, in this case) to trust that your software is secure enough for them use to protect their most sensitive data. There are several ways that you can do this.

  • Open source the software. If users have the ability to review the source code, technical users are more likely to trust it, even if they never do review the source code, or in many cases are not even qualified to review the source code.

  • Get an independent opinion from a qualified third-party. In other words, an audit that gives your software a clean bill of health.

  • Professional presentation. If your software is on a website that looks like it was built by an amateur in his spare time, many people will ascibe to it that quality for all of its features, including security. If it's presented professionally, and looks to be backed by someone professional, correctly or not, people will think more highly of it. Such is psychology.

Ulimately, your biggest challenge is likely not in your offering itself, but in the competition. There is a lot of password manager software out there. Yours needs not only have to appear to be of high quality and secure, but at least as high quality and secure as theirs.


If you're serious about providing evidence of security (I would hesitate to use the word "proof"), then for the U.S. market, the NIST Cryptographic Module Validation Program (CMVP) is what you would need.

Be aware that getting the validation is a long, arduous, and expensive process, and may require significant investment and changes.

Also be aware that should you pass, you not only get free advertising by the U.S. Government, but your product is then eligible for purchase by agencies and companies required to use only FIPS 140-2 validated products.

Beyond that, an trusted and public third party audit would at least be some evidence; it'll cost you, but not nearly as much as getting it validated.

Tags:

Encryption

Passwords

Trust

Recent Posts